GDPR, a new era?

Frederike Kaltheuner, Data Exploitation programme lead at Privacy International, talks about Gdpr, the GAFA multinationals, compliance, fines, extraterritorial scope and digital rights.


We are very excited about GDPR because an overhaul was long overdue. In the U. K. for example the data protection act is from 1998. I think that's the year that Google was founded and long before companies like Facebook existed. So GDPR is a very positive and exciting step in the right direction. We are now seeing one-page ads from companies in newspapers not just embracing but also celebrating GDPR. Sometimes those were the very companies who were involved in lobbying against GDPR. So GDPR proves that regulation works in that it pressures or it sets the right incentives for companies to comply with privacy standards. It is very dangerous to assume that technology is so complicated that it cannot be regulated. And if you watch the hearings in the US Senate that was the take away that many journalists also even civil society organizations in the US took away. That's dangerous because what we're dealing with might be new and complex but it's not rocket science. As society we regulate all sorts of complex things and it is important that we do not place the onus on people to protect themselves but that people are protected by default. One example would be food safety. I'm not a chemist and I'm not an expert in analyzing the chemistry of the food I am eating. I have to rely on institutions and rules to make sure that I'm not being poisoned. The same is true for the protection of fundamental rights not just online but in all technology. GDPR is a short form for general data protection regulation. It's an overhaul of existing data protection laws in Europe. The philosophy in data protection is you don't own your data but you have something much more powerful which is you have rights over your data no matter who holds it. GDPR changes existing laws in three crucial and important ways. One is it gives people more rights: the important right such as the right to portability so you own the right to take data from one provider to the next. That's quite powerful. It also places more stringent obligations on companies. The accountability principle shifts the onus from people to companies or those that process data to demonstrate that they are compliant. GDPR doesn't prevent you from processing data but it sets the ground rules that anyone who deals with personal data has to respect. GDPR doesn't revolutionize--it simply updates existing data protection laws. The problem under existing laws was that on the one hand that it was sometimes very difficult to prove that a company was non-compliant. What GDPR changes is that it comes with hefty fines, it has an extra territorial scope which means that it applies not just to companies that are based in the European Union but also to companies that are based anywhere in the world but that monitor the behavior of EU citizens offer goods and services to people in the EU. So it closes some existing loopholes. A lot of the tracking companies for example third party trackers and websites and apps are based outside the European Union and suddenly they have to comply. 



The Facebook Cambridge Analytica scandal has been a wakeup call for companies and governments around the world. It was always very difficult for us to communicate the actual harm because a lot of times when your privacy is being invaded you actually don't notice. We don't really feel the consequences. We have said for a long time that the entire purpose of the fact that you're being surveilled and tracked 24 hours a day is to modify and change behavior. That's the purpose of targeted advertisements and it doesn't come as a surprise that political actors are also interested in these kinds of ecosystems. There are many bad actors out there and I don't think a single company deserves all the attention. We think there's a systemic problem behind the way that people are being tracked, monitored, and profiled and that's not limited to a single company. And this is what needs to change now because Facebook Cambridge Analytica is now no longer in business but that doesn't mean the problem is solved. It always seems like it's just adds and adds are harmless but the targeted advertisement system comes with an entire ecosystem made up of thousands of companies in the background and Cambridge Analytica is just one of them that happens to work on politics but there are many other actors that are interested in tapping into these data troves: scammers, law enforcement, intelligence agencies and that's why we think an underregulated opaque data ecosystem is a real problem. 



There are good companies and bad practices. A good company is very transparent with you about what they are doing with your data. Unfortunately, bad practices are very widespread and common and that's our concern. It depends a little bit on the business model. There are business models which are inherently problematic because they are premised on the idea that you can have people's data without their knowledge or consent and there are business models where there's definitely no inherent contradiction and it might actually be in the interest of the company to offer privacy respecting services.