GDPR net starting to get very wide

Eight months after the introduction of GDPR decisions are starting to emerge from the first complaints. The breadth and depth of the complaints is starting to look revolutionary for the digital economy.

For years, the internet effectively did whatever it wanted. Bureaucrats attempted to regulate the industry, though mostly built ineffective rules on shaky foundations. Regulators were seemingly unable to out-manoeuvre Silicon Valley’s slippery legal beagles, experts at discovering grey areas, but then Europe’s General Data Protection Regulation (GDPR) was created.

The months leading up to the May 25 ‘doomsday’ were a nightmare for many companies around the world, such is the weight of potential fines. As soon as the ink was dry in the rulebook, the complaints started to get filed. Eight months later, the first decisions are emerging, and the threat of disruption is starting to look big, broad and beastly.

Over the last few weeks, French regulator CNIL has fined Google for not being explicit enough when collecting consent, a decision the search giant is challenging. Privacy Advocate Max Schrems’ non-profit, None of Your Business (NYOB) is taking eight internet companies to court in Austria for ‘Right to Access’ violations. NYOB is also challenging Google’s Android as well as Facebook’s Instagram and WhatsApp on the grounds of forced consent. Privacy International is also pointing the GDPR finger at Facebook. Private browser Brave and the Open Rights Group are tackling Google and marketing agency IAB on ‘Real-time bidding’ for hyper-personalised advertising.

Looking at the final case, this is an interesting one as it is not a practise which has been widely connected with GDPR. Real-time bidding platforms allow companies to collect in-depth and wide-ranging troves of information on individuals. This behavioural data is then ‘is broadcast to tens or hundreds of companies’ in order to attract potential advertisers’ bids. Brave and the Open Rights Group believe this is a violation of GDPR as the ‘broadcast’ fails to protect these intimate data against unauthorized access.

Article 5, paragraph one of GDPR states data should be ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss’. As there is no control over the data once it has been broadcast, Brave and the Open Rights Group state this is a violation of privacy rights.

The marketing and advertising industry certainly would have been aware of the threat to this segment, however it is not the type of data application which has hit the headlines in a major fashion broadly. This is the current risk the internet industry is facing; privacy advocates are getting creative with how they are applying GDPR, widening the net of accusation, ensuring lawyers are fighting the regulation on multiple fronts.

In the first couple of months, you can almost guarantee every court decision will be challenged by at least one of the internet giants. This is the gravity of the situation; fundamental and revolutionary changes could be on the way is the privacy win. The internet will change due to the interpretation of GDPR. The threat of red-tape choking off the steady flow of billions is look very real.

Worryingly for the internet giants is the emergence of class-action suits as well. Although this type of proceeding is quite common across the pond, such cases are rare occurrences in Europe. Across the legal community there have been mutterings, suggesting the regulation could open the door on the bloc. Perhaps it would not evolve to the same scale as class-action suits in the US, but the threat of such a trend should be very worrying for those who are currently ducking and diving swipes from the GDPR stick.

Today is Data Privacy Day, so perhaps it is fate that it appears the data privacy campaigners have the upper hand over Silicon Valley right now. The first decision from the courts has gone against the internet industry, the implications could have a significant knock-on effect to Terms of Service agreements, and you can guarantee Google will throw everything it can against the CNIL and its €50 million fine.

The money means nothing to the ‘Do no Eviler’, but the potential disruption to the internet economy could be seismic. We all knew GDPR could be very damaging to the data-sharing industry, but now it is starting to get very real.

Privacy champion Max Schrems is back with another lawsuit

The man who is largely credited with the downfall of Safe Harbour has re-emerged from the shadows to take eight of the internet giants to court over GDPR violations.

As user privacy increasingly seems to be an alien concept to Silicon Valley and the other internet players, Austrian data privacy champion Max Schrems has jumped into the limelight once again. This time he is challenged eight internet companies and their data privacy practices, suggesting they are violating Europe’s General Data Protection Regulation (GDPR).

Through a filing with the Austrian Data Protection Authority, by Schrem’s non-profit NOYB, the complaints focus on the ‘right to access’ enshrined in Article 15 GDPR and Article 8(2) of the Chart of Fundamental Rights. Amazon, Apple, DAZN, Filmmit, Netflix, Sound Cloud, Spotify and YouTube are on the receiving end of the lawsuit, with the potential penalties ranging from €20 million through to €8 billion.

“Many services set up automated systems to respond to access requests, but they often don’t even remotely provide the data that every user has a right to,” said Schrems. “In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of users’ rights, as these systems are built to withhold the relevant information.”

GDPR is supposed to hand control of personal data back to said individual. Its aim is to hold the digital society accountable to their actions and provide a certain level of justification for holding onto, and potentially monetizing, an individual’s personal information. Several clauses are also aimed at transparency to ensure the user is fully informed, or at least offering the user the opportunity to be, about how these software and services providers commercialise data.

In addition to what raw data is being stored, individuals do now also have the right to know where this data was sourced, the recipients and also the purpose. This is where a few of the complaints are focusing specifically, as this is the information which was absent from some of the responses.

If privacy is an alien concept, then transparency is a dirty, inconceivable word to the internet players. It seems former habits have been hard to shake.

NOYB Snip

As you can see from the table above, Schrems has tested out how some of the internet players have reacted to the introduction of GDPR. Progress has been made, except in the case of Sound Cloud and DAZN, but that is irrelevant. The introduction of GDPR on May 25 2018 was not the starting line to gradually move yourself through to compliance, day one was a hard introduction of the rules. There are some circumstances where companies can avoid penalties, but these are scenarios where non-compliance would be seen as out of the control of the company, or best efforts have been made.

This is where these firms might find themselves in a bit of hot water. An automated response which offers up some information but not all which is required through the new regulation should not be considered good enough. The pair ignoring the requests completely should be very worried about the repercussions. And finally, the Austrian regulator will also have to decide whether four weeks is an appropriate response time or too long. None of these firms are in a safe place right now.

Another interesting aspect will be the readability of the data. In the complaint, Schrems notes the raw data was provided in what would be considered cryptic form for the general public. Users would not be able to read the data therefore it is not being made accessible by the company. Whether this is taken as a violation of GDPR remains to be seen, though Austria could set precedent.

Many of the internet giants have resisted the calls from data privacy advocates and governments around the world, but GDPR is supposed to be a stick to keep the segment in line. These are companies which will want to avoid giving too many details away as the power and depth of the data sharing economy has the potential to spook large swathes of the general public. Too much light shed on data processing and exchanging practices would also offer more ammunition to the blood-thirsty politicians, many of whom are on a PR crusade to make heads roll.

Ultimately this will give us a good indication as to how sharp European regulators’ teeth actually are. In passing GDPR, the European Commission has offered a stick to the pro-privacy regulators, but how hard they swing it remains to be seen. The dreaded ‘up to’ phrase is present when looking at potential fines, so let’s see whether these regulations have the stones to dish out appropriate punishments.