Latest news about Bitcoin and all cryptocurrencies. Your daily crypto news habit.
GDPR is in force now. And my opinion of it, in isolation, as a piece of legislation, is mostly positive. It does provide better protection of peopleâs data and gives people rights in regard to their data.
Yes, there are a bunch of aspects that couldâve been done betterâââit couldâve been easier to read, it couldâve been clearer, it couldâve followed the good legislative practice of not having multiple use cases (hypotheses) in a single sentence, it couldâve been explicit about some important aspects rather than leaving them at the end of long recitals (my favouriteâââthe last sentences of Recital 26), and it couldâve not left countries to decide on where the line between journalism and data protection lies (because, hint, countries with worse press freedom will now have things even worse).
But these are things that can be corrected, some are technicalities, and they are not the biggest problem of the Regulation. The biggest problem actually lies outside of the Regulation, so itâs not technically its fault. But it doesnât exist in isolation.
The great sin here is that nobody cared to explain in simple terms and in practical examples what the hell does it mean. Opportunistic consultants took their chance and scared the shit out of everyone that they will be fined 20 million euro literally on the 26th if they are not compliant. Some were more friendly and less scary, but cared to point out that, you see, the fines are 20 MILLION EURO (or 4% of the annual turnover).
Articles and websites that shouldâve been informative, actually werenât, and perpetuated many myths, or at least werenât explicit enough about certain things, e.g. when is consent needed, which contributed to the many myths.
When I wrote GDPRâââa practical guide last autumn I didnât realize how valuable a resource that would be. Many people in comments, on reddit and hacker news (submitted multiple times) said roughly this: âFinally this Regulation makes sense to meâ. Because I cared to go into the detail of practical situations and clarify what the Regulation means there.
But why should a software guy with just a year and a half of legislative experience, be the one to explain things. People (rightly so) should not take my positions as authoritativeâââyes, Iâm a consultant, but Iâm neither a lawyer, nor a supervisory authority, not the European Commission. Just some guy who happens to know both technology and law.
âOh, but the WP29 has put out a lot of useful informationâ. WP29. Working party 29. Why 29? Article 29 from the previous Directive. How would anyone thatâs not a GDPR or personal data expert know what WP29 is. But letâs assume you somehow learn that the group responsible for the old regulation will be writing guidelines for the new one. You google it, go on the websiteâŠand youâre lost. You realize maybe âGuidelinesâ is the right menu, so here you areâââstaring at a list of ugly items, which lead to pages with links to PDFs. Awesome. In the great bureaucratic tradition, the useful information is âin the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying âBeware of the Leopard.â (per Douglas Adams).
Thereâs also the EDPS, and the new Data Protection Board (which doesnât have a website, of course). And the European Commission itself. And the national supervisory authorities. And nobody thought it might be worth putting any explanation for standard, typical usecases, in a human-readable, easy to understand way. (ICO, the British authority, has, in fairness, tried to do that and there are many useful answers there, but itâs still far from perfect)
What we were left was a bunch of consultants and lawyers who had a vested interest in creating a panic around the regulation and nobody to tell small businesses (and even big businesses) whatâs the right way to read the Regulation.
What we ended up with is hundreds of useless privacy policy updates, hundreds of totally unnecessary consents for whoever knows what data (because people understood they should ask for consent; not that consent should be linked to a particular processing activity and purpose). And we ended up with websites shutting down for the EU and small projects being taken down because people just didnât want to risk the scary fines and the lawsuits that would allegedly follow.
And they shouldnât worry. Really. Iâve been trying to explain to as many people as I had the chance to, that itâs not forbidden to process personal data, that the guidance prescribes a process of recommendations before going to an actual fine, that you donât need to pay thousands of euros to consultants. That their small website is low risk, with little (if any) personal data and thereâs nothing to worry about. But no. Somebody said that âif you store IP addresses, you can be finedâ. And people incorrectly calculate the risk for themselves as high. And kill their projects.
Small businesses canât and wonât pay the consultants, so theyâre left with breadcrumbs they can find online, and thereâs a loooot of noise. And theyâll do unnecessary things and wonât do the necessary things because they donât know.
GDPR itself is fine. So the âsinâ lies not with the regulation itself, but with everything that surrounds it. And with time this chaos will settle. But this is not an ordinary piece of legislation thatâs important for a certain branch and lawyers are the only ones that have to understand it. And I hope this is a lesson for bureaucrats that when you do a change that impacts so many businesses and activities, you should also make sure that change is well understood. Otherwise you are creating more problems, at least in the short term, than you intended to solve.
Put up a website of the data protection board. A small, clear website that has an easy to navigate list of frequently asked questions. What should I do if I store IPs in the logs? Do I have to do something if I have a mailing list? What if I have a public forum or IRC channel? What should I do with my Facebook and Google plugins that bring tracking cookies with them? Should I ask for consent and when? How do I implement this data subject right in an online shop?
These things that many, many people have asked. And no authority has given an answer. The answer is left to speculation, which has led to negative effects.
Again, Iâm sure this smoke will clear soon. But my urge for easy to use, accessible resources remain. They will surely help people understand the regulation and be less scared and panicked of processing personal data.
The Great Sin of GDPR was originally published in Hacker Noon on Medium, where people are continuing the conversation by highlighting and responding to this story.
Disclaimer
The views and opinions expressed in this article are solely those of the authors and do not reflect the views of Bitcoin Insider. Every investment and trading move involves risk - this is especially true for cryptocurrencies given their volatility. We strongly advise our readers to conduct their own research when making a decision.