Think GDPR was a disaster? EU's ePrivacy Regulation is worse

MAKE IT STOP! That’s what most of us have been screaming over the past couple of weeks.

Yes, it’s been GDPR Purgatory here in Blogwatch Towers. I daresay it’s been the same where you are, too.

But wait! There’s more. The next set of European privacy regulations is coming. In this week’s Security Blogwatch, we brace for impact.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: ImGnaB 50Mls 

Top 4 Myths Regarding GDPR Compliance Beyond the EU

Ghastly, dumb panic recipe

What’s the craic? Brian Fung and Rick Noack explain Why you’re getting flooded with privacy notifications in your email:

If you're like most Internet users, you've probably gotten [swamped with] privacy policy updates at your favorite websites — and perhaps even at a few sites you'd completely forgotten about. … What the heck is going on?

[It’s] because of a new set of privacy protections. … The EU's General Data Protection Regulation, or GDPR, went into effect on Friday [but] even U.S.-based companies who handle the data of E.U. citizens try to make sure they're in compliance.

Failure to comply with GDPR comes with the risk of heavy fines. … In the case of Facebook … a violation could mean an eye-popping $1.6 billion penalty.

That’s a lot of moolah. And as David Meyer reports, Activists Are Already Targeting Google and Facebook:

One organization has already made official data protection complaints about Google, Facebook, WhatsApp and Instagram, while another is going after the shadowy data brokers that trade people’s information behind the scenes.

[The first] group [is] called None Of Your Business (NOYB)—a non-profit founded by the very successful serial Facebook litigant Max Schrems. Schrems [is] the Austrian lawyer who annihilated the U.S.-EU Safe Harbor data-sharing agreement a few years ago.

The new law says … people can’t be forced into consenting … in order to use a service. According to Schrems … Google and Facebook are railroading users in this way.

Schrems and his non-profit argue that … their complaints … should put an end to all those annoying consent popups. … “If companies realize that annoying pop-ups usually don’t lead to valid consent, we should … be free from this digital plague soon,” he said. “GDPR is very pragmatic: … Whatever is really necessary for an app is legal without consent, the rest needs a free ‘yes’ or ‘no’ option.”

What a mess. But couldn’t the EU have seen this coming? Andy “Zocalo” Blanchard blames the marketroids and the lawyers:

Confirmed Opt-In, or COI, has been … a best practice … for many years now. You didn't need to be psychic and predict the future to anticipate GDPR; you just needed to be above-board about what you were doing with the sign-up process and follow … best practice.

If you'd done that, and retained a copy of all of your opt-in confirmations, then all your end-user interaction for GDPR compliance
would have required would have been a simple rider on a regular marketing email reminding your subscribers of where they could view your GDPR policies … and to change their communications preferences if they wished.

Sadly, … this point seems to have escaped most mailing list maintainers, … even amongst those [who] have been using COI for years.

[ See also: GDPR and Your Business: Achieve Transformation Through GDPR Compliance ]

Could this get any worse? Oh, yes. It ain’t over until Natasha Singer: [You’re fired—Ed.]

The new European data privacy legislation is so stringent that it could kill off data-driven online services and chill innovations like driverless cars, tech industry groups warn. [But] These industry alarms are not over [GDPR]. Instead, the cause is an even stricter privacy law.

It is called the ePrivacy Regulation. … The law was approved by the European Parliament last fall and is under review by the Council of the European Union. … officials had originally intended for the law to go into effect this month, but Council negotiations have been slowed by internal disagreements.

The current draft [would] require Skype, WhatsApp, iMessage … and other electronic services that allow private interactions to obtain people’s explicit permission before placing tracking codes on users' devices or collecting data about their communications. [It] provides only one condition under which a company may use data or metadata about users’ electronic communications: … explicit and informed permission … for a specific, agreed-upon purpose.

The bill also requires companies to offer people the same communications services whether or not they agree to have their data collected.

Oh, brother. Chris O’Brien warns, more EU privacy rules may be on the way:

Clearing out all the spam from companies complying with the EU’s General Data Protection Regulation may have worn you out over the weekend. But rest up, bucko, because that may have only been Round 1.

The overall goal is to take existing rules that govern traditional telecom … and extend them to newer communications services such as Skype, WhatsApp, Facebook Messenger, [etc.] The proposed rules … specify a right to privacy for all such communications. [It] further states that mobile apps or internet services … cannot “intercept, record, listen into, or tap in your communications” in any way to make use of that data, even if … anonymized.

With strong political momentum around … privacy in Europe, and an equally strong desire to level the playing field between tech companies and consumers, privacy advocates are optimistic the rules will be adopted in the coming months.

Politics, eh? Ted Gioia sounds slightly sarcastic:

Strange but true: Europe demands privacy protection from Silicon Valley, while US legislators do nothing.

Of course, this has nothing to do with the $20 million Google spends on lobbying in the US each year.

It’s enough to drive Andrew Bloch to drink:

Me: *opens can of beer*

Beer: I've updated my terms of service and privacy policy as part of my commitment to GDPR compliance.

Hilarious. But seriously, the effort to get compliant is crippling, no? No, argues Thomas Fischer:

#GDPR is not about compliance... i.e., having a bunch of tech & stuff ready by May 25.

[It’s] about ensuring you are taking constant adequate steps to secure personal data and can demonstrate accountability for everything that happens to personal data.

There is no list of things that you have to have ready by May 25th. No one on May 26 is going to knock [on] your door and say "show me your GDPR compliance". … If you are able to demonstrate accountability, you have a good starting point.

[No] "proactive" action [unless as a] result of a data subject complaint or if you are a known abuser of personal data (think big US orgs). There is nothing in the GDPR that would indicate a proactive audit.

And here’s Henry Farrell’s fascinating viewpoint:

Pretty well everyone - whether they like it or hate it - is treating [GDPR] as a set of rules. That's a very limited perspective. It's not just a set of rules - it's a set of political opportunities.

The GDPR is complex and ambiguous and … no-one understands it. For many actors, that is not a bug but a feature - they are struggling to define the ambiguities in ways that advantage them.

Facebook has made GDPR compliance a big part of its PR response to the Cambridge Analytica and Russian trolls disaster. But it is interpreting GDPR in an aggressively minimalistic way.

Facebook has tried to maintain for years that advertising and services are inseparable. Now, these claims are going to be subjected to serious judicial scrutiny.

So the real impact of GDPR doesn't depend on what firms are doing to comply with it this morning. It depends on a variety of political and legal battles that are going to be fought over the next several years using the new tools that the GDPR provides.

Meanwhile, you have to hand it to israel_hands:

I'm strongly considering investing in metaphorical popcorn futures.

The moral of the story?

It’s time to get ahead of the next tranche of regulations, but beware of lawyers playing it safe.

And finally …

I’m Gonna Be (250 Miles)


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Bobby Hidy (cc:by-sa)

Top 4 Myths Regarding GDPR Compliance Beyond the EU
Topics: Security