Can we PLEASE talk about privacy, not GDPR, now?

Sebastian Greger

It’s the “morning after”: a mere twelve hours have passed since the GDPR applies and while still awaiting breaking news on hobbyist blog owners being fined EUR 20 million, an army of burnt-out web and legal professionals has begun to clean up from the party that was “the final dash towards GDPR”.

And what a party it was! I for my part, like others, cannot remember having witnessed anything like this before.

With an entire continent - and the law-obeying, detail-loving Germans seemingly leading the pack - going bonkers over a law that not only had been in force since mid-2016, but whose impact would have been much less severe would it not have become so commonplace to ignore people’s right to privacy over past decades (though I do not intend to play down neither the legislation’s enormous documentation requirements nor its obvious flaws).

Panic over a deadline that wasn’t

The GDPR builds heavily upon its predecessor, the Data Protection Directive 95/46/EC - a 23-year old law. And as privacy professional Rowenna Fielding put it in a recent tweet:

Panicking about #GDPR?

Look at it this way

You’ve been non-compliant w/ data protection law for 20 years, & with ePrivacy law for 15 years. Nobody noticed. Nobody cared.

[…]

For many, this last-minute panic (fuelled by imprecise media reporting, an often appalling lack of public guidance, and most crucially the nature of laws as never being specific but pending interpretation by courts) did not leave time to grab the problem from the root. In many instances, privacy statements got glued on top of unaltered systems, grounds for processing were defined as they seemed convenient, data processing agreements had to be signed without much reflection on their content.

All that to meet a “deadline”? 25 May 2018, this is important to remember, was not a deadline. Nobody is “done with GDPR” now. This was no Y2K sequel.

Privacy by design, not by declaration

The new rules are here to stay, and none of the GDPR’s 99 articles and 173 recitals states “apply hotfixes on your existing practice by May 2018”. It mandates that all processing of personal data has to follow strict rules; this most prominently covers the auditable definition of legal grounds (Art. 5+6), full transparency for the user (Art. 12-14), granting control to the individual (Art. 15-21) and - this seems to be the most commonly overseen requirement in this “deadline rush” of late - the application of privacy by design and by default at core (Art. 25).

At the same time, the law also clearly establishes that the right to personal data is not an ultimate right knocking out all other interests (Recital 4), acknowledging the legitimacy of individuals, communities, and companies building on data for societal or economical progress. This is why for example “legitimate interest”, under the condition of full transparency, has been baked into the law. Yet, lawful legitimate interest emerges from privacy-respecting conduct, not a well-written privacy statement alone.

GDPR already achieved one important goal: public discourse

Despite the unfortunate panic and the unfavourable confusion and fatigue caused by a flood of (often unnecessary, even unlawful) “GDPR e-mails”, it must not be overseen that an incredible lot of really valuable work has been done. Many organisations, designers, and developers took the opportunity to reflect upon existing practices: deleting unnecessary data, introducing data retention policies, working hard to create transparency, etc. This is the wide-spread awareness the GDPR was intended to trigger, and exhaustion is justified after all those hard efforts. Maybe we didn’t notice and, in hindsight, it was a pretty good party after all?

I have truly enjoyed a lot of deep conversations about privacy that this compliance date motivated; some within the comfort of my own filter bubble, others with the most opposite of people. Presentations, blog posts and personal commentary on privacy-related issues have brought a welcome richness to the debate - helping everybody to develop their position and learn something about that of others.

As a law, the GDPR is the product of a democratic process, and equally democratically it is ours to work with. Only by implementing competing solutions and engaging in a discourse over their justification will we be able to eventually discover what is generally considered appropriate. With not a single court having ruled on the GDPR, there is no “100% right” way of doing things. And to repeat once again: GDPR is no deadline, it is a process.

“Privacy first, compliance second”

There is no doubt the GDPR is going to keep us busy. Its bureaucratic demands are significant (I am far from happy with many of its intricacies), and over the next five years, court rulings will slowly start to indicate what the law really means in practice - leading to yet more upcoming waves of “urgent adaptations”. After a decade of sloppy treatment of personal data, it cannot be expected that everybody is able to flawlessly rework their practices within a two-year transition period, in complete absence of specific precedence cases - even less so in the two-week or even just two-day transition period many seemed to have granted themselves.

What I would hope for, however, is that now - with the “urgent deadline” behind - we can find time to engage in ever broadening debates on how to treat the personal data of human beings in a technologised world; that it is not compliance efforts that keep us busy, but the systemic questions of data and privacy, of technology and humanity.

The GDPR, including all the panic it came garnished with, lifted privacy to the agenda. Let’s not bury this under “achievement unlocked by May 25” but use the momentum to work on new ideas how to proceed from here. Likely everybody had to take shortcuts in recent weeks. Now, with pressure off, is the time to share what we have learned - and continue to keep working on new ideas for privacy first, compliance second (as the latter comes with the former almost automatically).

Like Fielding wrote in the remaining part of her tweet I partially quoted above:

[…]

Be good at data protection because it’s the right, ethical, sensible thing to do.

Don’t panic - DO BETTER

That is such a great statement.

Panic was yesterday. Now we should “do better”.

 

The “compliance deadline” of 25 May 2018 only marks the end of a first step on the journey towards how we deal with personal data in a world of digitalisation.

Footnotes

  1. Spoiler alert: Not going to happen! (ref. Art. 83) …also the “Abmahnung” panic in Germany has - despite undeniable risks in principle - little justification from the GDPR alone.
  2. Ironically, this design principle enshrined in privacy legislation is another one of the long ignored guidelines already found in the Data Protection Directive of 1995 (Recital 46 DPD).
  3. Unfortunately, in many contexts such as the much-discussed question of people photography, the exact balance between conflicting interests may remain unclear for years to come.
  4. I really like this quote from a blog post by Wolfgang Lünenbürger: “Nach dem, was ich aus Unternehmen höre, sei das ohnehin nicht schwer, weil außer einer stringenteren Dokumentationspflicht ein ethisch und rechtlich vernünftiges Verhalten auch vorher schon ungefähr so ausgesehen hätte.” - paraphrased: for companies, apart from the new documentation requirements, ethical and legally sound conduct would have largely been the same before.
  5. Though one of those parties where you end up staying far beyond the point where the mood changed.
  6. The question of the power shift in the democratic system under heavy lobbying is a separate debate; the GDPR apparently was one of the heaviest lobbied legislations in history.
  7. The next big one already scheduled for 2019/2020, with the likely arrival of the ePrivacy regulation.