Reverse-engineering GDPR: Why our intentions shape our reality
Contributor Kristoffer Nelson suggests you learn to stop worrying and love GDPR, because the new consumer-friendly data environment is here to stay.
The European Union’s (EU) General Data Protection Regulation (GDPR) is no different from the first two minutes of your yoga class. Yeah, you heard me right.
In addition to child’s pose, yoga instructors typically begin their classes with words of encouragement. Instructors encourage students to set an intention for the next 45 minutes to develop an awareness of the virtue they wish to actualize in their everyday lives. It could be anything from spending more time with their families to focusing more heavily on their mind/body health. The hope is that a stronger awareness will provide students with the inner strength to make the changes necessary to better their lives down the line.
With the implementation of GDPR on May 25, 2018, the EU was the first to lay down a law in support of the newly empowered users of the web. But consumers have yet to benefit from GDPR because it’s scaring companies into compliance and overloading them with highly demanding guidelines.
Rather than focusing on the punishment aspect, I want to call attention to the fact that GDPR’s true merit lies with intention: intention to build worldwide awareness of the issues in data privacy that are increasingly dominating our lives and to redefine companies’ intentions to support a more transparent, consumer-oriented culture.
Data activists went lawsuit-happy
For the last two years, companies around the world have been gradually preparing for the big day. And by preparing, I mean openly stressing about complying with GDPR’s convoluted, seemingly vague guidelines on data regulation.
Less than 24 hours into full-fledged GDPR sovereignty, news broke of lawsuits filed against Facebook and Google. Austrian privacy activist Max Schem didn’t even wait a day before slapping the two tech giants with suits that totaled $8.8 billion.
Other privacy activists like the French digital rights group La Quadrature du Net have also filed complaints against Google and Facebook, as well as Apple, Amazon and Microsoft’s LinkedIn, for their practice of the method of “forced consent.” On one hand, these moves come from built-up frustration over companies’ non-transparent data collection practices — and rightfully so. On the other hand, both Schem’s and La Quad’s hastiness could do a lot more harm than good.
Aside from the fact that these suits suggest GDPR is solely about the money and regulations, which could cause the average consumer to lose trust in a system that has yet to see the light of day, they will likely also create an unnecessary amount of havoc for companies. Additionally, they completely undermine the progress that many tech companies have made to their platforms.
Change is here
In order to increase consumer choice and transparency, many tech companies, social media platforms, publishers and e-commerce sites have made a great effort to suck the poison out of their services, update their privacy policies and release new features.
Facebook has developed a new means of cutting down on fake news, and Apple has unleashed new tools that will allow EU customers to download all of their data and see information about purchased apps, photos and documents. And both Apple and Microsoft have explicitly stated that they are dedicated to implementing GDPR-compliant policies, not only for EU consumers, but for the rest of the world, too.
Sure, we know in the back of our minds that the reason behind these changes is in large part due to GDPR’s fines, but how can privacy activists expect real change when they are looking at it straight in the face and still choose to pursue legal action?
Someone has to give these companies a small pat on the back, but I guess that’s only going to be me.
Companies can take a breather
With so much emphasis in the media on potential penalties and fines that come with non-compliance, many companies’ focus on GDPR compliance stems solely from fear. But companies should take a second to do their yoga “oms” because there is no reason to stress just yet.
Let’s be clear: GDPR regulators definitely have the authority to impose a fine, which explains why some activists instantly rolled out lawsuits, but that fine does not happen right away.
The exact fine depends on numerous factors, such as the severity of non-compliance and potential personal data breaches, the measures taken to be GDPR-compliant, the degree to which an organization fails to set up the essential mechanisms to prevent personal data breaches and so on.
This is the case with most aspects of the GDPR regulation. There are many details that come into play, and because GDPR is in its infancy, we can’t be sure exactly how the fining process will unfold.
If both companies and data privacy activists were able to take a step back and view GDPR not as a means of rules and regulations but instead as a vital piece to this newfound consumer-focused mindset, we could tackle the real issue of data privacy in a united front.
Redefining GDPR’s intention
In light of the recent scandal involving Facebook and Cambridge Analytica and the fact that questions and concerns about consumer data usage are more than ever in the headlines, GDPR comes at a crucial point in the internet timeline. GDPR redefines data privacy as we know it.
It offers consumers choice about how their personal data is used and pushes companies to cultivate a data-empowered environment of openness and accountability. Under GDPR, and with the emergence of this newly enlightened expectation of a consumer-first world, consumers are no longer required to manage the Wild West of the web alone.
As far as the race for compliance goes, no matter the year or point in time, one thing is for sure: Regulatory compliance will always come down to how a company handles user data transparency and whether that company puts forth substantial effort in maintaining a clear line of communication with consumers.
In other words, if a company wants to be sure not to cross the hazy line of non-compliance, they must implement transparency into the very heart of their company ideals. And data privacy activists, for their part, should restrain themselves from filing suit at the drop of a hat.
If the goal of GDPR is to gain consumer trust and establish the intention of a safer internet, then both companies and data privacy activists will have to act accordingly. Only once we have figured out the proper balance between both sides will the rest of the world follow suit, change the digital age for the better and allow consumers to take back control of their data. Namaste.