GDPRmageddon: They think it's all over! Protip, it has only just begun
After months of hysteria, firms sure have their work cut out
The big day has finally arrived, Europe's General Data Protection Regulation is now in force – but as the calendar flicked over last night, those breathing a sigh of relief will be sorely disappointed.
For a start, it is a naive company that has treated 25 May as a deadline, thinking it won't have to worry about data protection after today: not only are there a bunch of new duties under the law, it also offers the potential for new challenges.
Meanwhile, for those members of the public (or journos) that think their inboxes will be magically cleared of spam, remember that many of the firms sending the mails have probably been in breach of marketing laws that have existed for the best part of two decades.
Aside from some high-profile examples, many of these go unnoticed or unpunished. The fines might be larger under GDPR, but the regulators have stressed there won't be a seismic shift in their approach.
Moreover, GDPR is just one of a number of changes on the data and privacy landscape. The European Union is updating the rules on electronic communications; while in the UK, there's the Data Protection Act – given Royal Assent about 36 hours before GDPR kicked in – to grapple with.
And that's without considering how Brexit will affect tech firms, as the continued flow of data between the UK and the rest of the bloc depends on the government's ability to negotiate a good deal with the EU.
'Please don't leave me!!'
The run-up to the enforcement date of the GDPR has been accompanied by increasingly hysterical reports of non-compliance being hit with unpayable fines, a deluge of unnecessary emails and a suspicious increase in "GDPR certificated" consultants touting their wares on LinkedIn.
And as companies spent the last week furioulsy scrambling to reach some semblance of compliance with data protection rules that were adopted two years ago, the situation reached fever pitch, with some even deciding the best option was to cut off EU users entirely.
Meanwhile, everyone has been inundated with emails asking them to "reconsent" to direct marketing from companies they've never even heard of.
The view of these firms – many of which have no doubt been given questionable advice – is that this is the only way they can continue to send people marketing communications once GDPR is enforced.
However, they have overlooked the fact that such marketing is already regulated under the EU's e-Privacy Directive – implemented in the UK as the Privacy and Electronic Communications Regulations (PECR), most recently updated in 2003.
These require people to have given consent before they can be sent direct marketing. The so-called "soft opt-in" relaxes this slightly, saying that if a firm has an existing relationship with you – for instance, if you've bought a product from them before – they can still contact you.
Nonetheless, this effectively means that many of the firms sending people one or more emails (Chase Distillery has sent your correspondent no less than four) are simply flagging up the fact they have been non-compliant with existing laws for years.
Undeterred by efforts to calm the consent storm, organisations have ploughed ahead with varying amounts of common sense.
Take IT academic Lillian Edwards' gym, which she spotted holding on to people's training programme cards until they asked for them – which would be treated as consent for unspecified purposes.
2/ they were holding peoples gym programmes - in cards - hostage until ppl asked for them back and this would be treated as “consent” ( tho they didn’t say to what)..— Lilian Edwards (@lilianedwards) May 24, 2018
Or East Renfrewshire Council, which issued a missive to local schools saying that without parents' permission, kids under 12 wouldn't be able to take home letters with, among other things, their name on.
Kid: mum here's a letter from school— Heather Burns (@WebDevLaw) May 23, 2018
Me: *silent scream* pic.twitter.com/qHGptTcI3l
New law, new challenges
However hilarious it's been to see organisations pulling their hair out over consent, the focus on this aspect of the regulation – exacerbated by misinformation in the press – has been unhelpful.
That's not just because it's been mis-sold as a silver bullet, but also because it's confused and distracted from a much-needed debate about the other five legal bases for processing data.
One of these is "legitimate interests", which has become something of a fall-back for firms looking to justify data processing – and one that could come back to bite them.
"The overlooked right in this whole law is the right to object to legitimate interest processing, which makes up a lot of behavioural advertising online, and is used as the legal basis for a lot of business models," said University College London academic Michael Veale.
"The data controller has to make the balance of whether their rights or your rights prevail, and we await to see whether the regulators and courts think their business models outweigh your objections, or whether data subjects pretty much always prevail. My money's on the latter."
Consultant Tim Turner agreed, saying that the need to be transparent about the use of legitimate interests has not had enough scrutiny. "I think this could allow people to undermine and challenge quite a lot of non-contractual processing of data, and we don't know what that would look like."
GDPR has opened the floor for privacy activists to launch new challenges. Max Schrems, the Austrian lawyer who took down the Safe Harbor agreement on transatlantic data transfers, has already launched a nonprofit, NOYB, to take advantage of the options for collective redress and other rights built into the GDPR. He has today filed four complaints over "forced consent" to Facebook, Google, WhatsApp and Instagram.
And Privacy International has also today kicked off its own campaign to investigate data brokers like Acxiom, Criterio and Quantcast.
The aim is to use the new rights under GDPR to expose what it describes as the "hidden data ecosystem" – the collection and exploitation of large amounts of personal data – and check how compliant such firms are.
Last year, experts warned that these increased rights to ask companies what data they hold on people could also lead to an increase in no-win, no-fee style claims, while the right to deletion could pose technical as well as financial challenges.
Indeed, many individual activists, lawyers and privacy experts have said they plan to mark the enforcement date by sending out subject access requests to find out what information companies hold on them.
Previously, firms could charge for digging out this information - now it has to be handed over for free, and there will be a variety of sites, like DataStopClick, set up to offer people easy-to-use templates that allow them to exercise this right, as well as friendly encouragement on how to go after the big boys.
At midnight CET, everyone other than American residents can submit a request to @uber firstname.lastname@example.org for a copy of their data, as Uber has confirmed (unlike FB) all non-US residents served from Amsterdam, so have GDPR rights. Americans can try too if they use Uber abroad. pic.twitter.com/mYe5ABwh6Q— Michael Veale (@mikarv) May 24, 2018
ePrivacy, Brexit and beyond
But beyond GDPR, there looms another piece of EU legislation that has been largely overlooked, but is likely to require just as much action on companies' part as GDPR: the update of ePrivacy laws.
"The ePrivacy Regulation is around the corner, although no one knows quite how far, and also seems likely to bring business model shake-ups," said Veale.
"Perhaps the main change will be the death of the cookie banner in favour of legally binding Do Not Track signals that browsers must allow you to send out, and websites must comply with.
"This data protection by default approach could shake up the world overnight, just as WhatsApp did by switching users unbeknowingly to end-to-end encryption."
Another concern is that the regulation might bring with it a continuation of the worst themes in the run-up to the GDPR: a "tsunami of bad advice", as Turner puts it, and snake-oil salesmen ready to make a quick buck.
*waits for a new band of “ePrivacy consultants” to rush onto the scene* https://t.co/Z2ZXZYUUcI— Neil Brown (@neil_neilzone) May 25, 2018
And if the problems stop there for the rest of the EU, in the UK there are bigger fish to fry.
One is the Data Protection Act, which was commenced today – having scraped through parliament just in time for GDPR. It's four times as long as the EU regulation it implements (it doesn't even include the full GDPR text) and has not won praise for its clarity.
Within this are a number of areas of concern for both citizens and the government, as it is sure to be fighting more legal challenges, including on the controversial immigration exemption, which the Open Rights Group among others have promised to take action against.
But bigger still is the elephant in every room: Brexit. The UK needs to gain an adequacy agreement from the EU so data can continue to flow between the nation and the rest of the bloc – without it, business will suffer and experts warn national security and policing efforts could be hampered.
However, the UK has some of the most intrusive surveillance laws around, and these will be taken into consideration when the EU decides whether to sign an adequacy deal. Although the government has been warned time and again that this will not be an easy deal, its apparent complacency is cause for concern.
"The government have been wildly optimistic about a special data deal that the EU clearly has no appetite for, and with our shaky enforcement and pervasive surveillance, I don't see how we can get an adequacy decision," said Turner.
Although he acknowledged that the EU can make the occassional "dodgy compromise" if it wants to – pointing to Privacy Shield, the successor to Safe Harbor that was established in a panic after Schrems – the UK can't rely on this.
"If they decide to follow the process properly, I don't see how we can get an adequacy decision," he said. "The effect on the UK tech sector of that would be impossible to quantify. It will be incredibly messy."
And so, even if the public are crossing their fingers that they've seen the last "Let's stay in touch" email for a while, the government, data protection lawyers and tech firms are sure to be kept busy for quite some time yet. ®