Inside big tech's last-minute scramble to comply with Europe's new privacy rules


#1

Originally published at: https://boingboing.net/2018/01/30/deathbed-conversions.html


#2

Just one more reason to leave this ‘shithole’ country and move to Europe. Human beings are still considered ‘citizens’ there and not just ‘consumers’ who are looked at as just another commodity to be exploited. MAGA!!!


#3

The General Data Protection Regulation will be enforced as of May… Tech companies have had years to comply with this rule, but have been playing high-stakes chicken…

Waiting until the law takes effect isn’t “playing chicken.” It’s normal. I’ll bet they even planned their compliance action.


#4

However, as someone who works in that compliance industry, I can tell you it will take most large companies 12-18 months to set up the infrastructure and processes to imply with GDPR. So they are playing chicken because they will be out of compliance (or, more accurately, have no way to know if they are complying or not) for a year or more while they procure software and deploy it.


#5

Basically, Big Data companies reacted like this:
“Hahahahahaha… [years later]… hahahaha… Wait. You’re not kidding?!”


#6

It’s a shame that Internet companies won’t treat regulations like this the way car companies treat California emissions regulations, i.e. implement them everywhere for overall cost savings. I’d love to get even a little of that privacy love over here in the land where the almighty dollar trumps personal liberties every day of the week.


#7

I run marketing for a US-based company with global offices, and we’re doing exactly this. All our data policies and procedures will align with the GDPR, so we’ll likely be in compliance with privacy regulations anywhere in the world.


#8

Meanwhile, in the USA, the GOP Congress will pass legislation giving internet companies more rights to gather and sell your personal information.


#9

I think that the fines you mentioned are totally unrelated from tech companies implementing the GDPR. It is taking a long time to implement because it is a massive, vague (extremely vague) piece of legislation and people are working to become compliant by the time necessary - not hugely before. I’ve spent a significant amount of time at my company working on GDPR compliance and it’s not that people want to miss it it’s just that GDPR compliance is a huge deal that has to be scheduled along with the rest of your roadmap.


#10

There must be some kind of mistake; it says here that a government is holding multinational corporations to account.


#11

This.


#12

Of course they’re unrelated, since the GDPR isn’t applicable yet, but they show the willingness of the European Courts to strike hard if necessary.

How so? I’m genuinely curious.


#13

Yeah, companies aren’t “playing high-stakes chicken”, it’s just a massive change and few companies have taken it seriously until the last six months. It seems to be less of a pain in the arse than PCI compliance*, but I’ll be surprised if all of our clients are there by the end of the year. You basically have to account for every bit of data in the entire company, and work out first if it might relate to an individual, and then work out what you’re doing with it.

One good thing, it also applies to staff data that you might hold, as well as customers.

*(Payment Card Industry, ie, the regulations you have to comply with to be anywhere near a credit card)


#14

Which companies should already have been doing for years now.

I can appreciate that it comes as a bit of a shock if you’re a company without any establishment in the EU and have been merrily collecting EU citizens data without worrying about what you’re collecting or why you’re collecting it.

Although you’d hope that companies would know what info they collect and why they collect it… [waits for laughter to subside]


#15

But there was no real regulatory reason to, therefore no one bothered.


#16

Actually there were not a lot of reasons for this. As an example consider that the GDPR distinguishes between data controller and data processors. There are a loooot of legal technicalities here but broadly a data controller is a first party collector of information. Most likely boingboing is a data collector because they may collect your name for instance. Now boingboing looks like it has google analytics installed that is a data processor which is to say it’s taking 3rd party data (boingboing’s) and storing it. the GDPR allows someone who is a client of the data collector (boingboing) to ask the data processor (ga) to delete all references to them - not just within boingboing but across ALL of their data stores (so basically every site they may have visited that had GA installed on it)

So it’s not that a company “doesn’t know” what data they have - it’s just that they haven’t built tooling to do things like this for a number of reasons including a) it’s expensive and time consuming b) it’s somewhat opposed to the desires of their clients (sites like boingboing) which generally want to be SILOED from each other.

Now obviously GA is part of the goog which has massive financial resources but this applies to EVERY company that may be regarded as a data processor. There are also a ton of other details to this.


#17

vagueness as to what is a data controller vs. data processor (which is a massive massive difference in terms of your responsibilities). there is also vagueness on requirements regarding data privacy because of the fact that the GDPR allows member states to set MORE restrictive requirements (so for instance germany has a more restrictive privacy policy on healthcare data). Also there was for awhile (though this seems sorted) some concern about how the GDPR would play with the EU-US privacy shield https://www.privacyshield.gov/welcome.

My understanding of the legal vagueness is definitely a layperson’s (I am an engineer not a lawyer) but comes from working with lawyers around this they have expressed a LOT of frustration around it and ask me lots of questions about how our systems work so that we can understand how the law applies to them.

Just to be clear also - I’m not saying the GDPR is bad or we shouldn’t have it - just that it’s imperfect (understandably) and a lot of fucking work.


#18

Sorry but I have to disagree that this is especially different from what should already have been taking place under the previous data protection directive.

Data processors were data processors then too. The reason we have the new directive is that all the data controllers (who were supposed to be making sure the data processors they used processed the information in ways that are compatible with the directive) just said “Oh, well, it’s google [or whichever non-EU based data processor you prefer]. They do it the way they do it and there’s nothing we can do about it. We need the stuff google provides so we’ll just tick the box that says it’s all fine if anyone asks.”

As for the right to have your data deleted, that only applies if the collection is justified by consent of the person the data relates to or in a small number of limited other categories.

If they withdraw consent, of course the data has to be deleted, otherwise the idea of consent is irrelevant.

If you justified the data collection on one of the other grounds, you don’t need to worry about that.

All that of course does require you to have thought about what you are collecting, why you are collecting it and which legal reasons you have justifying your ability to collect (and continue to store) it.

Most organisations don’t really do that. I imagine the sort of organisations you deal with do but most of the little shops and middling accountants, etc. just collect whatever information seems good to whoever without ever sitting down and justifying why they need or want it.

Putting it differently, the firm I work at has been in existence for over 200 years. In that time, the firm has collected a hell of a lot of information about a lot of people - most of whom are thankfully now long dead. Only relatively recently has there been any idea that there is any need to consider why we take and keep any particular piece of information.

Most of what we take is obviously justified by being necessary to fulfill our contract. Some of it isn’t. We just collect it because there is a box on our forms for it or because some partner at some point in the past (of course no one knows who) decided we should.

Well, the honest answer there is that there is not a cat in hell’s chance that the Privacy Shield will stand up to court scrutiny any more than the ‘Safe Harbour’ did.

The only safe advice for EU organisations is not to have your data subjects’ data processed or held in the US if you can manage it.

In practice that tends to mean ask whoever is setting up your systems whether the data will be held or processed in the US and don’t think too hard about it when they say it won’t.

I can imagine. There’s nothing more fun than conversations between two very different but equally technical fields, where each is trying to work out how to express what the other is saying in terms that make sense to them.

Especially if you have US lawyers trying to make sense of an EU regulation. They are drafted in a particular style of their own.

Oh yes. But the work should have been started a long time ago and progressed with a bit more oomph from the outset…

But of course, that’s difficult when you are trying to make sure you do the minimum to comply when the exact details haven’t been worked out yet.


#19

This topic was automatically closed after 5 days. New replies are no longer allowed.