A high-profile expert panel met in Berlin on 31 Jan to discuss the nature and risks, but above all the rewards and opportunities of the GDPR. This blog post summarizes eight key thoughts emerging from the presentations and discussions at this inspirational and positively spirited discussion of the new privacy regulation.
Hosted by privacy messenger company Wire.com, the panel discussion chaired by David Meyer (of Connected Rights) brought together Jan Philipp Albrecht (MEP and chief negotiator of the regulation for the parliament), Katharina Miller (lawyer, and president of the European Women Lawyers Association), Dr. Philip Fabinger (Global Privacy Council at HERE Technologies) and Alan Duric (co-founder of Wire and privacy technology veteran).
While a lot of GDPR events currently focus on practical compliance in light of the approaching enforcement date, the scope of this gathering was at a very welcome meta-level. While business practice played a clear role in the discussion, the focus was on creating a general overview of why the GDPR came to be in the first place and how it could be perceived as a positive impulse to rethink technology, the expectations of users/consumers and its opportunities for (European) privacy-centered businesses.
From my notes, I distilled eight insights that I believe would be worthwhile to take away from this half day at the Wire headquarters - all aligning very well with my recent post on how I would like to see the GDPR framed as a call to practice ethical design.
My eight key take-aways from the event---explained in more detail below---are:
GDPR answers questions emerging from the realities of technological development
The “meaningful and easy to understand” rule cannot be ignored
Legislation can be perceived as painful because it has to catch up with past developments
Personal data is not the new oil, but the tobacco of the 21st century
Under GDPR, the intrinsic value of data is changing
The GDPR’s competitive advantage is not in the law, but in innovation
GDPR is not an obstacle to good UX
It is never too late to get started!
1. GDPR answers questions emerging from the realities of technological development
Who better to summarize the values of the GDPR than its "midwife": Jan Albrecht, the MEP who led the negotiations for the European Parliament, opened the event with a 20-minute summary of the core ideas behind.
Most importantly, Albrecht stressed how being responsible with people's data had so far been a disadvantage in the market. Even when obeying the laws, their fragmentation across Europe led to a situation where it commonly paid off to only aim for minimum compliance. This is changing on May 25. The European legislators consciously chose a route where harmonization would not be achieved by a smallest common denominator, but by "ensuring that everybody has a trustful common standard". This leads to an equal competitive situation across Europe---dealing respectfully with personal data is no longer a disadvantage.
Albrecht further mentioned some of the key aspects of the GDPR and how they relate to that core idea. The principles of Privacy by Design and Privacy by Default mean that control is by nature given to those using a service, not those running it. And the need to make Privacy Impact Assessments (PIA) while building services means that the privacy impact becomes the core of how we create technology (Fabinger later illustrated how the PIA requirement moves the responsibility for privacy from the compliance units to business units, such as programme managers, engineering, design, etc.).
Albrecht also critically mentioned some of the areas where the GDPR does not yet provides answers (for instance interconnectivity and encryption), but closed with his view that the GDPR is a globally unique example how to approach these complex technical questions in a global, technologised world by democratic debates and decision-making:
It is not too late for regulators to engage in progressive and future-oriented legislation!
This intro set the tone for the rest of the event: the GDPR is a standard the big players cannot walk around, and the great chance to gain the confidence and support by users (which has recently suffered visibly, given the increasing awareness of intransparent data processing).
2. The "meaningful and easy to understand" rule cannot be ignored
Given that the core idea of the GDPR is to create transparency, also about the previously opaque algorithms controlling people's data, one of the most important messages is to put utmost effort in the clarity with which users are told about the use of their data.
Whereas companies could previously protect themselves by having lawyers who would write the smartest, most complicated privacy statements (texts that nobody could understand, but would have a good chance to stand in a court case; cue the "I have read and understood the terms and conditions" lie) the mitigation of risks now means that user information has to be as easy to understand as possible: not from lawyers for lawyers, but from people to people. Paraphrasing Jan Albrecht: somebody not making it easy to understand will be fined.
This, I believe, is the most important aspect to understand about the GDPR: as long as lawful grounds can be defined, the GDPR does not forbid the processing of personal data (Albrecht stressed this again in the Q&A later), but making it absolutely transparent for the user is what regulators are likely to look for once the new law is enforceable. Taking shortcuts here appears a very risky path.
3. Legislation can be perceived as painful because it has to catch up with past developments
Quite naturally, also the insufficiencies of the GDPR and the upcoming ePrivacy Regulation were discussed. Especially the strong focus of the current ePR draft on consent (as opposed to the broader array of grounds for legal processing in the GDPR, such as legitimate interest) stirred some debate.
Referring to his introductory statement of how the GDPR marks "the start of discussing fundamental principles of a technologised society and world which is completely different from the past" that introduces "a new layer in everything we do", Albrecht highlighted that the new legislation is aiming to fix already established practices:
We are repairing the ship on the go and the ocean has completely changed.
Arguments, such as for example the practical challenge of asking for consent when dealing with fully autonomous vehicles (Fabinger illustrated this through an easy-to-understand use case) cannot be ignored. Yet, the panel discussion illustrated how we are only at the beginning of exploring technological solutions to reduce the often unnecessary data noise created---all challenges aside, it is very likely possible to find ways to have machines interact with less personal data involved.
4. Personal data is not the new oil, but the tobacco of the 21st century
"Data is the new oil", goes a famous saying---a perspective that Alan Duric countered in his presentation by instead comparing personal data to tobacco:
Smoking was perceived as harmless and even good for people well into the 1980s. The risks only came to broad public awareness once heavy regulatory efforts did no longer allow the tobacco industry to play them down. Similarly, Duric presented, people today a widely unaware of the risks the liberal abuse of their personal data presents; the role of legislative instruments such as the GDPR is to regulate what businesses are allowed to do, and hence growing awareness amongst people about what is at stake.
In my opinion, the GDPR has already started to achieve that goal. While many still consider the required changes to business practices as an unjust burden and negative impact on "customer experience", I am convinced we are going to see a growing awareness amongst "consumers" once clear and understandable data practices are presented everywhere.
5. Under GDPR, the intrinsic value of data is changing
Another brilliant analogy from Duric's talk touched the subject of enterprises collecting heaps of data without a specific use case. Given how regulated and hence expensive the maintenance of such data vaults is becoming under the GDPR, he compared it with another industry that struggles with unwanted elements in their storage:
The unused data about your customers is nuclear waste
Duric's point about the GDPR making the storage of data without a clear purpose unattractive was picked up again later in the discussion where the intrinsic value of data was discussed. The current situation means that selling the data is often more important than selling a good product; public companies like Facebook are under intense pressure to create ever more value by collecting data. "Who is watching the watchmen?", the question is---and the panel seemed to agree on that precisely is why the GDPR was needed. As Duric put it:
Imagine the future in 10-15 years without regulation...
I could not agree more. Now is the time to act, and the GDPR in all its unspecificity that causes countless headaches in day-to-day operations is the most powerful tool history has seen to allow people to regain control over their privacy.
6. The GDPR's competitive advantage is not in the law, but in innovation
Meyer provocatively asked the panelists: if, due to its extraterritorial scope, US companies also have to comply with the GDPR, where is the often-quoted competitive advantage?
From the answers, it can be concluded that the advantage this legislation provides lies in leaving current thinking patterns behind. While a lot of the Silicon Valley tech industry is locked into their model, European companies should let lose of the fear that "if we don't play to the same rules, we will fail" and instead innovate using the freedom from that historical debt. On the other hand, as the GDPR's motivation is to create a level playing ground for everybody, of course companies from outside the EU are still welcome to compete.
Duric expressed his vision of the privacy tech industry to become as an important global leader in technology as the automotive industry once had been. Fittingly, Fabinger had an example from US standardisation efforts for the communication of autonomous vehicles---the compulsory data involved does not qualify under the rather narrow concept of PII (personally identifiable data) in the US but clearly falls under the much broader definition of"personal data" in the EU. Here, for example, is plenty of room to innovate and take the lead internationally.
Miller, Fabinger and Duric also repeatedly stressed that supporting European products and services, choosing European GDPR-compliant solutions over those from Silicon Valley, is an important driver for innovation in the privacy field.
7. GDPR is not an obstacle to good UX
A member of the audience highlighted how ever more consumers want the smooth experience of personalised services, yet a growing share is reluctant to give their data away; asking the hypothetical question whether the business imperative shouldn't be to ensure they are in control of their data.
This question, and the following discussion, were a great instance of where I would like the debate about privacy and UX to go: the GDPR must not be seen as the law that clutters UIs with ever more consent forms or that brings huge fines for compliance details, but as the motivation to deliver the experiences expected by the users while considering their desire for privacy. As Albrecht put it:
GDPR does not forbid anyone to process personal data, it just sets the requirements.
And Duric added:
UX can also be achieved on fully anonymous basis.
Here's a goal to work on in the field of User Experience Design! I'd love to see that quote on every UX team's wall. The GDPR only is the enemy of UX if users are perceived as data sources; if we include the desire for privacy/control into the definition of "the user", the GDPR is the competitive advantage for true UX.
8. It is never too late to get started!
Examples like the very thorough compliance efforts by HERE, as presented in Fabinger's introductory talk, are a great showcase of companies who understood early on what an effort these legislative changes pose for a big, data-driven company. Yet, while the panelists agreed that it is important to have the fines in place to enforce compliance as of 25 May, being late to the party does not mean one should not do anything.
Miller shared how for example a lot of Spanish companies (who, as she also highlighted are exceptionally well prepared to start with, due to the already strict privacy laws in Spain) are merely waiting to see whether the GDPR enforcement date is going to pass without further consequences. That for sure is the wrong strategy. Regulatory bodies have---with varying effort---started to roll out good tools to help businesses. And based on the insights from the debate, it appears obvious that GDPR compliance initially is not so much about precise implementation, but about evaluating and rethinking the role of personal data in the business and how it is dealt with.
GDPR - risk or opportunity?
The intent of the organizers was to discuss questions about risks and opportunities under the GDPR. While the panel was dominated by pro-GDPR representatives and consensus was not difficult to achieve despite certain differences, I believe it succeeded in giving one realistic perspective of the situation: the GDPR was created to protect individuals and their privacy, and it has the potential to achieve real change. Unfortunately, it seems, fines are the only way to enforce reconsiderations at this scale, yet the discussion gave ample insight as to how the burden of compliance can be turned into a rewarding opportunity. This however requires that Europeans reconsider the data hunger that creeped its way into our culture over the last decade and that innovation is not just seen as "innovative ways to comply" but to radically rethink technology and the valuation of products and services over data.
Many of the arguments exchanged were well known to those following the debate actively, but one key thought I took away freshly from the discussion is the hope for a culture where failure to comply is allowed: just as Duric recalled memories of early mistakes done while developing Wire, I believe that those trying to respect the spirit of the GDPR but failing to comply in every detail should have nothing to fear. After all, as long as the baseline of an enterprise (Privacy by Design, data minimalism, transparent policies, etc.) are adjusted with the values behind the regulation, minor implication flaws will very unlikely trigger more than a friendly reminder from the DPA.
It is crucial to highlight that the GDPR is not---as commonly misunderstood---a race for maximum compliance on 25 May 2018, but a call to align practice with the new valuation personal data as a fragile good has received: First embrace the spirit of the GDPR to rethink how you are dealing with personal data, then think about the minutes of its implementation. This event surely contributed to spread that understanding.