GDPR is not the Same as GERD – but they Both Cause the Same Symptoms

Commentary, Disruption, Eamonn Brosnan

GDPR. General Data Protection Regulations sounds like something that the average person needs to know nothing about, but on the contrary, they affect us on a day-to-day basis.

There was a time, for the last 20 years, where most jurisdictions had similar requirements regarding corporations maintaining privacy of their consumer’s data. The differences were more to do with flavour and less to do with the substance of the task. In essence, companies were supposed to seek permission to collect information from a user, but a generic question “we are going to collect your information, do you agree?” was deemed to be sufficient. Beyond that, a general practical application of what it meant to protect and not misuse information was kept to a minimum.

As to be expected, some companies took advantage of this and abused their access to people’s information, and also due to the general willingness to click ‘yes’ without reading when presented with a legal document spanning multiple pages.

Back in 2005, PC Pitstop, a software maker who produces a suite of utility applications to improve performance and security of your computer, embedded an offer of $1000 inside their End User Licensing Agreement (EULA), to claim the prize, all you needed to do was send them an email citing this clause from the EULA. It took 5 months and over 3000 sales before some astute customer actually read the EULA and claimed the prize.

In light of user’s ‘click-first and ask questions later attitude’, some corporate agents were collecting and abusing the private information of millions of unaware users, simply by placing permissions to use private information in the middle of a multipage EULA, with the expectation that nobody would read it.

The result was they were usually right.

Recently, many jurisdictions have been trying to handle this problem in different ways. The current US administration is seemingly moving to open access and open the use of consumer’s data, while the EU has moved in the opposite direction and are planning on implementing a new policy that requires that a collector of data must query the user every time they take information (instead of a single EULA to ignore before clicking OK we would now have dozens per web visit). In addition, the EU are also going after data storage services, such as cloud computing providers.

If I were to start a website that collected information on my users, not only would I be responsible for this constant authorization verification, but the company who is hosting my website would also be responsible for how the data that is collected is protected. This puts an onerous requirement on such hosting services, and make my otherwise useful and informative website to be nearly unusable.

To make matters worse, for providers, the US and EU positions are mutually exclusive. One cannot guarantee protection of the information and safeguard it as per the EU’s requirement while simultaneously guaranteeing access to any information to the US government, as per their requirement. This means that companies that do business in both the US and EU will run afoul of at least one jurisdiction and will likely see substantial fines and restriction of corporate activities in that jurisdiction.

To understand how we are in this mess we need to understand how we got here.

30 years ago, the internet had a user base of under 2 million people. It was designed to allow the easy and rapid sharing of information, typically between scientific researchers and US Defense Department officials. Nobody was concerned with jurisdictions or privacy laws because so few people accessed the information that there was no real commercial application. Today we have billions of users on the internet and every corporation has a virtual finger in the pie. The infrastructure was not designed for the reality of there being different legal requirements in different nations, and so it was just assumed that you would abide by the laws of your local justice system. Today that is no longer valid, but what is happening right now is that different jurisdictions are attempting to force their interpretation of privacy laws into the international stage. Unless all jurisdictions can sit down and come up with an agreed-upon standard that can be applied universally I suspect that we will end up with a scenario where every country adapts China’s model of internet access, where they severely limit access for their population to view sites located in other regions. This has already started happening due to copyright laws, to a limited extent. YouTube users will sometimes make their videos only accessible to certain countries because copyright laws and ownership rights are different.

If we want the internet to remain open, then we need to engage in international discussions and come up with a rational and reasonable way of implementing privacy requirements. Otherwise, if we continue on our current path, we will see the balkanization of the internet, and have access limited to sites that only meet local government’s privacy requirements.