I know, I know. There is something quixotic, not to mention thankless, about wandering around the internet looking for people who have misunderstood what privacy and data protection are all about and correcting them. But this article from the New York Times is such a clear illustration of the way in which many outside Europe misunderstand the topic, that it just cried out for a response.
I do a fair bit of work for overseas, and particularly US-based, clients. Many of them come to me convinced that GDPR is going to make it impossible for them to do business in the UK or mainland Europe - unable to fathom how they will integrate their existing way of operating with a requirement (as they understand it) to obtain detailed, explicit and unequivocal consent from every data subject before they begin.
This misunderstanding stems from a combination of factors: the preferred approach in the US of so-called "notice and consent" and a large measure of lazy journalism and (to be fair) historic misunderstandings on this side of the Atlantic. It misses a simple fact that cannot be repeated often enough: consent is only one of six lawful bases for processing personal data compliantly. It is not the most important and, outside of certain marketing activities, it is seldom the best. If you are coming from a "notice and consent" model, processing on the basis of contractual obligation or legitimate interest can often be, if anything, even more streamlined.
From this fundamental misunderstanding flow more. The right to be forgotten, relevant in processing which depends on consent after the consent has been withdrawn, is not half so important under other lawful bases for processing. The idea that it can be used to erase "bad actions" which society would benefit from knowing about is simply wrong. But the biggest misunderstanding that these misconceptions lead to is that data protection makes business more expensive and less competitive. That privacy is the enemy of profit.
To be clear, data protection is not privacy. But it is possible to get data protection right in a way that promotes privacy while simultaneously benefiting businesses. An audit of processes might reveal that 30% of the data captured from new customers is not needed. Reducing this requirement meets the data minimisation principle while simultaneously improving customer experience by streamlining the on-boarding process. Handing more control to users over the way in which their contact preferences are handled meets obligations around accuracy and data subject control while also reducing internal administration costs. And with a growing awareness among consumers of their rights as data subjects, there are a range of companies who expect to see genuine competitive advantages from demonstrating their genuine respect for the privacy of their users. There has been a surge of interest in privacy-centered alternatives to mainstream applications, but we are also seeing significant tech players like Apple pivoting to a privacy-centered offering.
There will always be businesses who don't want to move with the times. Some of them will fail, some will absorb the fines and damages flowing from non-compliance into their ever-increasing costs of doing business. But for those who want to embrace a modern, privacy-centric way of working, building in data protection by design and from the ground floor up, this regulatory landscape represents far more opportunity than it does threat.
Privacy advocates often point to European privacy rules as a model for the United States. Under those rules, the General Data Protection Regulation, companies that operate in Europe or handle European data are required to obtain consent before collecting data. They also must provide users with the “right to be forgotten” — the ability to delete their information upon request. In theory this might sound beneficial. But some services we highly value, such as spam filters, require analyzing emails quickly — and without consent. Allowing everyone “the right to be forgotten” will enable people to erase information about bad actions that society might benefit from seeing. And do we really want to emulate European rules if they undermine competitiveness? With the uncertainty over how to comply with those rules, entrepreneurs have looked to markets on other continents, strengthening big companies that can afford to pay big penalties for their privacy violations. The rules make it more costly to build a data network, which could explain why there are no European rivals to America and China’s big companies.