US legal eagle: Well done, you bought privacy compliance tools. Doesn't mean you comply with anything Much-lauded privacy laws risk being undermined as compliance is outsourced to tech vendors and "toothless trainings, audits and paper trails" are confused for genuine protections, a New York Law School professor has said. In a paper in the Washington Law Review, published online last week, Ari Ezra Waldman argued that recently …
I don't see any real problem, the companies failing GDPR because of buying a technical solution will pass those fines on to the vendors of said solution. As those vendors won't survive being hit with multiple fines, they will soon be out of business. At that point, companies will really have to take notice or go the way of the dinosaur, most likely some will do both.
"the companies failing GDPR because of buying a technical solution will pass those fines on to the vendors of said solution"
I doubt it. The problem isn't going to be with the tools they use to implement their data storage or protection policies, it's with those policies.
There's a simple two step process for complying.
1. Decide what you can justify keeping, delete what you have that doesn't fit and stop collecting any more.
2. Keep repeating step 1 only this time get more serious about justifying the stuff you keep.
1. Decide what you can justify keeping, delete what you have that doesn't fit and stop collecting any more.
The global digital ad-market is a market worth of-the-order of a trillion dollars a year. Given that most of that value is channelled by the data-abusers, including both the big names everybody knows, and the intermediaries pimping your data that you've never heard of, and never knowingly gave permission to, there's precisely zero chance that those companies are going to stop, or even try and behave better.
If the privacy advocates (and the intention of GDPR) win out, it is going to take a long time, with a lot of bitter legal fighting, and at the end of it the internet is going to be a very different place, where we might actually have to pay for almost all content. Some may like that, some may not. But even then, I'll wager that the companies that channel the micropayments hoover up more value than the content creators.
At least a choice has to be offered -- pay with your data or pay via microtransaction. And I suspect self-published content (i.e. the stuff that started the Internet as we knew it in the first place) won't be affected so much as big media content -- I don't make a dime from my personal web pages, they're hosted because I want people to be able read what's there. That used to cost real money and time (remember paper?) vs. throwing it up on a £10 Linux VPS. This idea that somehow just having people read your blather should make you money was never a part of the original Internet, it's a big media / google / etc. invention.
I imagine this Internet of the future will look much like the Internet of today with adblock on -- big media demanding payment for news access (yeah, right, if I want that I'll pick up a paper), and payment, DRM, and privacy violations as a mandatory requirement for watching precious video. I don't really use the Internet to consume content from big media, so I couldn't care less at this point and would like my privacy back please!
The cold harsh truth here is that privacy statements are just hand waving. Once a company has your information they will use it, analyze it, sell it, lease it, play with it, sell it, toss darts at it, and then sell it.
"Once you have their data, do whatever you want with it. Privacy statements are for suckers."
- Google's First Law of Acquisition
Didn't you read the fine print on page 365 of the contract under "Travel and Other Expenses" buried in the disused toilet marked Beware of the Lepoard?
"The Tools are provided for your organizations's guidance only. SleazyVendor shall not be held liable for any damages resulting from the use or misuse of SleazyVendor's products."
They won't be able to pass the fines along. I'm quite sure any contract will shield them from any attempt to seek redress. Especially if they are lawyers... or have a good enough lawyer.
This isn't like, i.e., ISO 9001 where you just have to show you have some sensible policies and tools, and then can still churn out bad products and nobody will come after you. GDPR fines can be quite hefty, and there are specific agencies that will come after you.
...say a Law School professor...
Jokes aside, data protection laws are laws, so you'll need experts in field as well, especially since this is not an issue that can be resolved only with a technical solution.
But what vendors do matters little from a GDPR perspective - which refrained for very good reasons to establish "technical standards and solutions" that would have really given vendors a way to create their own version of data protection - and would have made it obsolete in a few years if not months.
That some provisions are "unclear" - or better, not detailed enough that a loophole is easy to find for a lawyer paid enough - is actually a good thing. Concepts like "privacy by design" are destined to evolve with time - just like data collection activities - both legal and illegal, will evolve. IMHO courts will tell if a company went far enough to protect data it was obliged to.
Entities that will rely on what vendors say them could find troubles when they will have to face a privacy and data protection agency, or a court.
IMHO courts will tell if a company went far enough to protect data it was obliged to.
No, the courts will decide if the company went far enough to comply with the letter of the law, not the spirit. Look at the interpretation, use, and enforcement of tax laws. Not something many of us would hold up as an example of sound law making, but that, sadly, is the future of data protection.
That's when the law is so specific you can literally found the "letter of the law" - but GDPR refused to be so specific.
Tax laws are very different from GDPR - they tend exactly to be so specific that loopholes can be found by high-paid lawyers who will dissect each and every sentence to find a way out.
The basic problem is that most of these laws are written in ways that are vague and ambiguous. Determining that you are compliant is an opinion, not a fact, until lawsuits going through courts add clarification and boundaries. The compliance opinions may be from ivory tower lawyers, or experienced subject experts, or baked into some services tools, but it is still just an opinion.
Companies don't want to be hit with ruinous fines, and they do not have any more expertise than anyone else, so they want to do something, anything, to show diligence in trying to comply. Some will hire 'expert consultants', some will buy services and tools and training. And the sudden demand against a lack of supply of expertise will draw some shady operators.
But no matter who gets hired, none of it is a sure thing because of how most laws are written.
" to show diligence in trying to comply."
And that is the crux of the matter. If you can show you have tried, to the best of your ability/available resources, then the fines will be no where near their potential maximum and might even just be a slap on the write with a "must try harder" result.
The GDPR doesn't care how much you spend on compliance. When it comes down to the basics is is quite simple.
Some business models will not survive an investigation, ambulance chasing and Farcebook comes to mind but there are a lot of pirates that spring to mind.
If it's company policy to indiscriminately collect and process consumers data without informed consent they had better hire the liarwers to fight it out.
"If it's company policy to indiscriminately collect and process consumers data without informed consent they had better hire the liarwers to fight it out."
Not that that will help. Just keep the money to pay the fines until you work out what you're doing wrong.
"If it's company policy to indiscriminately collect and process consumers data without informed consent they had better hire the liarwers to fight it out."
It's a strange coincidence that this topic has come up.
I'm a member of a SIG. It was recently taken over by some sort of forum aggregator. At first there was an option to transfer from membership of the forum to membership of the aggregator. I didn't because I have no interest in what they offer. Yesterday when I went to sign in I was presented with a choice "Sign up or ship out."
Here's a quote from their explanation of what is going on " The sooner you connect your forum account with a XXXXX account, the better, since it will happen anyway".
They did highlight their privacy policy which reads like something that Facebook or Google would write. Basically they lay claim to all my personal data including O/S, IP address, email address,devices, by which I think they mean what boxes I'm using, location, websites visited and on and on. I've contacted Max Schrem's organisation NOYB and have had a reply. Tomorrow I'm going to get in contact with the ICO and see how much of what these characters want to grab off me is legal under the GDPR. Not as much as they hoped I would wager.
Ho hum... I suspect most of these tools are being bought by people in the hope that one day, they will be able to use them to claim that they were acting in good faith when they get busted for their dodgy business practices - "but we thought we were in compliance... not that we're lawyers, we just relied on our suppliers..."
GPDR, et. al. are not about how you verify you are in compliance but that you take steps to be in compliance. The basic idea behind them is that you collect and retain the bare minimum of information needed for online activities. Then you secure it using proper security methods. If you do not need to retain the IP address of visitors, do not collect them. If you do not need email addresses, do not ask for them. If you do not need there location, do not ask for it. If you do not need to set cookies do not use them. In other words audit the information you collect and retain and ask is it necessary to have this information. If not do not collect. If you need some, collect and retain the minimum you need.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
