General data protection regulations (GDPR) sound like something that the average person needs to know nothing about. On the contrary, these rules affect us on a day-to-day basis.
For the last 20 years, most jurisdictions have had similar requirements regarding corporations maintaining the privacy of their consumers’ data. The differences were more to do with flavour than the substance of the task.
In essence, companies were supposed to seek permission to collect information from users. A generic question was deemed to be sufficient: “We are going to collect your information. Do you agree?”
Beyond that, a general practical application of what it meant to protect and not misuse information was kept to a minimum.
As to be expected, some companies took advantage of this and abused their access to people’s information.
And certainly, there’s a general willingness among users to click ‘Yes’ without reading when presented with a legal document spanning multiple pages.
In 2005, PC Pitstop, a software maker that produces a suite of utility applications to improve performance and security of your computer, embedded an offer of $1,000 inside their end-user licensing agreement (EULA). To claim the prize, all you needed to do was send them an email citing this clause from the EULA. It took five months and more than 3,000 sales before an astute customer actually read the EULA and claimed the prize.
In light of users’ click-first-ask-questions-later attitude, some corporate agents collected and abused the private information of millions of unaware users. They simply placed permissions to use that information in multi-page EULAs, with the expectation that nobody would read them.
They were usually right.
Now, many jurisdictions want to deal with the problem.
The U.S. administration appears to be moving to open access and the use of consumer data.
The European Union has moved in the opposite direction. It plans a policy that requires collectors of data to query users every time they take information (instead of a single EULA to ignore before clicking OK we would have dozens per web visit).
The EU is also going after data storage services, such as cloud computing providers.
If I were to start a website that collected information on my users, not only would I be responsible for this constant authorization verification, but the company that hosts my website would be responsible for how the data collected is protected. This puts an onerous requirement on hosting services and makes my otherwise useful and informative website nearly unusable.
To make matters worse for providers, the U.S. and EU positions are mutually exclusive. One can’t guarantee protection of the information as per the EU requirement while guaranteeing access to any information to the U.S. government, as per their requirement. This means that companies that do business in both the U.S. and EU will run afoul of at least one jurisdiction and likely see substantial fines and restrictions of corporate activities in that jurisdiction.
How did we get in this mess?
Thirty years ago, the Internet had a user base of under two million people. It was designed to allow the easy and rapid sharing of information, typically between scientific researchers and U.S. Defense Department officials. Nobody was concerned with jurisdictions or privacy laws because so few people accessed the information that there was no real commercial application.
Today, there are billions of Internet users and every corporation has a virtual finger in the pie.
The infrastructure was not designed to deal with the different legal requirements of various nations – it was just assumed that you would abide by the laws of your justice system.
That’s no longer a valid perspective. So various jurisdictions are attempting to force their interpretations of privacy laws into the international stage.
Unless all jurisdictions can draw up an agreed-upon standard to be applied universally, we’ll end up with a scenario where every country adapts China’s Internet model: severely limited access to sites from other jurisdictions.
This has already started happening to a limited extent thanks to copyright laws. YouTube creators sometimes make their videos accessible only to certain countries because of differing copyright and ownership laws.
If we want the Internet to remain open, we need international discussions to find rational, reasonable privacy requirements.
Otherwise, we’ll see the balkanization of the Internet, with access limited to only those sites that meet your government’s privacy requirements.
Eamonn Brosnan is a research associate with Frontier Centre for Public Policy.