June, 2018

now browsing by month


G.D.P.R., new European law for the protection of privacy and the future of the global data economy

They are curious messengers, these ants in your mailbox. “We’ve updated our privacy policy!”, Cheerfully announce it and provide links that provide clearer information and better control over how your personal information is used. Proper and well educated, they come from remote areas of the Internet – from some of the companies you know and most of them you do not know. Some cite the cause of this sudden influx: the General Data Protection Regulation, an EU law that came into force on May 25.

G.D.P.R. It is the most controversial law in US history and the result of years of intense negotiation and thousands of proposed amendments, even though its components have been anchored in European law for decades. It contains two fundamental changes to the previous legislation, the Privacy Policy of 1995. The first would be the universality: a common set of rules and practices that exist across the continent and hopefully in the world. The second is the application: the ability of regulators to breach a company that G.D.P.R. as much as four percent of its total global sales. Of course, both are just titles. The law leaves a lot of room for implementation and interpretation; Although the fines far exceed anything the data protection authorities have practiced so far, they may be under-indebted.

G.D.P.R. was launched in 2012 by Viviane Reding MEP, then Vice-President of the European Commission. She told me from Brussels that she was worried about “big business” like the American Gafa – the French style for Google, Amazon, Facebook and Apple. “They just ignored the old law,” Reding said. “Cambridge Analytica’s Facebook scandal, if it happened on May 26 this year, would have cost Facebook billions of dollars, among other things, and they could not pass on citizens’ personal information without asking citizens to ask, and you can Do not steal and simply tell them that under the new law it is not possible, and that if you do, the punishment will be very, very severe. ”

This rhetoric has started a whole industry of lawyers, consultants and privacy advisors. Although they may not necessarily be responsible for the ants in your mailbox, except perhaps for some awkward episodes of “We’ve updated our privacy policy again!” – You are certainly busy isolating your customers against the risk of their use. “I’ve never seen so much fear in twenty years of privacy,” said Eduardo Ustaran, who discusses privacy and cybersecurity issues at Hogan Lovell’s law firm. His counterpart at D.L.A. Piper, Jim Halpert, said the same thing. For large multinational companies, the entire workforce of G.D.P.R. “The problem is huge – big companies are investing more than $ 50 million in preparation.” Like all the other practitioners I talk to, Halpert believes that companies like Google and Facebook are easily able to. This favors companies that are organized and can spend a lot, “he said.

For Reding and for his colleague and G.D.P.R. Moderator Jan Philipp Albrecht, the law mainly affects companies that process personal data. “In the last ten years, there has been no chance of catching up with the big Silicon Valley Internet companies,” said Albrecht. “With G.D.P.R. this will change.” He hopefully added, “Consumer power has not really started.”

The Data Protection Officer in Ireland, Helen Dixon, is one of the people at the heart of the G.D.P.R mission, where many multinationals have their European headquarters. In anticipation of the law, his office hired a hundred people on a short detour, with forty other people on the way. “We have many lawyers, communications specialists, investigators – some on grounds of criminal law, others on prudential grounds – and we have business analysts, systems analysts,” he said. she said. The Vision, the Dixon of the Irish D.P.C. She is far from the team of 30 people she inherited in 2014. The main question, she told me, “is how many simultaneous exams we can perform.”

Albrecht’s and Dixon’s enthusiasm contrasts with the omnipresent cynicism that many privacy professionals seem to be spreading in their profession. Even Halpert and Ustaran, who are more positive than most, have struggled to say how G.D.P.R. Compliance will improve the life of an average citizen. The law promises advances in global information hygiene: It becomes difficult for large data processing companies not to know what the data is, where it is stored, and how it is stored. But at the individual level, the benefits are less obvious. In general, companies have simply designed longer privacy policies – an exaggeration that refutes the intent of the legislature. When the law comes into force, independent experts and activists hope for more meaningful interventions. Mireille Hildebrandt, a professor at the Free University of Brussels, said that G.D.P.R. could be especially useful for eliminating algorithmic distortions and other cases of machines doing something wrong. “Automated decisions that have a significant impact can be challenged and need to be meaningfully explained,” she told me.

Data protection is sold to Europeans as a tool for balance, equality and autonomy in the digital world. But it is also a very individual diet; It is unlikely that a person’s actions will change. It is therefore relatively easy for us as a collective to make concessions of comfort, ignorance or resignation. Article 80 of the G.D.P.R. is a feature that seeks to remedy this situation by introducing, for the first time in European law, the possibility of collective redress. There is no automatic right to sue for damages, but G.D.P.R. allows temporary orders to stop the processing of data. The provision is carefully protected because, as Reding points out, “what we do not want in Europe is a class action lawsuit of the American kind that only creates the activities of lawyers”. Paragraph 80 allows civil rights attorneys or consumer advocates to defend themselves in the name of the community or the public interest.

According to Albrecht, these NGOs and other institutions will not only be looking for the “only one” who has time to manage their own data, but also those who have no time or risk. one hundred percent in these technologies, laws and regulations. “But even with these various actors, there is a cautious note about the aspirations of the law.” No data protection law protects us from ourselves, “said Albrecht.