An FUQ for the GDPR
I started writing this on Privmas Eve: the day before Privmas, aka GDPR Day: the one marked red on the calendars of every company in the world holding an asset the GDPR has suddenly made toxic: personal data. The same day—25 May—should be marked green for everyone who has hated the simple fact that harvesting personal data from everybody on the internet has been too damned easy for too damned long for too damned many companies, and governments too.
Whether you like the GDPR or not (and there are reasons for both, which we'll get into shortly), one thing it has done for sure is turn privacy into Very Big Deal. This is good, because we've had damned little of it on the internet and now we're going to get a lot more. That's worth celebrating, everybody. Merry Privmas!
To help with that, and because 99.99x% of GDPR coverage is about what it means for the fattest regulatory targets (Facebook, Google, et al.), here's an FUQ: some Frequently Unasked (or Unanswered) Questions about the GDPR and what it means for you, me and everybody else who wants to keep personal data personal—or to get back personal data those data farmers have already harvested. (The GDPR respects both.)
A note before we begin: this is a work in progress. It's what we know about what's now possible in a world changed by the GDPR. And "we" includes everybody. If you want to help, weigh in. For some guidance on this, see Privacy is still personal. Also our Privacy Manifesto, still in draft form. Here goes...
Why do we have the GDPR?
The GDPR is a privacy regulation. We have it because technologists failed to develop personal privacy technologies that could be widely used, and in turn drive norms, and regulation based on those norms.
In other words, the regulatory cart got ahead of the development horse.
Yes, we do have some privacy tech, for example crypto, onion routing, and tracking protection. But these are wizards' tools. Muggles hardly know about them. So there are no norms here. We attempted to create a standard way to signal the need for sites to at least respect our human dignity, with Do Not Track. But the "interactive" advertising business and its dependents killed it, causing ad blocking to skyrocket. (Some history.)
And now we have the GDPR. Hopefully it will spur the development, widespread adoption and respect for personal privacy tech and norms online. Maybe then the tech and norms horses will get back in front of the regulatory cart.
What's the deal with all the cookie notices and "consent walls" (or shades, when they only take up part of a page) mostly—if you read between the lines—to exactly the kind of tracking and profiling the GDPR was meant to outlaw?
First, the GDPR forbids website operators to coerce consent to tracking before visitors are allowed entry to a site. (See Can websites use “tracking walls” to force consent under GDPR? by @JohnnyRyan of @Pagefair.) So any site that even hints at blocking entry to a website to obtain tracking consentis in violation.
More importantly, all sites do this stuff differently and (this is the important thing) you don't have one way to tell all sites that you don't consent to tracking.
Bottom line, what does the GDPR mean for the "natural persons" it also calls "data subjects"?
It means we're in charge now: at least of ourselves—and of our sides of relationships with the corporate entities we deal with.
No, the GDPR doesn't say that specifically, but both the letter and the spirit of the GDPR respect privacy as a fundamental human right. Since rights are something we exercise as individuals, and not just a something good corporate behavior allows us to enjoy, we should be able to provide it for ourselves as well.
Don't we have enough privacy tools already with crypto, onion routing, VPNs and so on?
No, we don't.
Those are all forms of protection against exploitation by others. Privacy is personal. To make privacy personal, we need tools that create private spaces around us on the net, much as clothing (the original privacy tech) does for us in the natural world. We also need ways to signal to others what's okay and what's not okay, and to know easily when those signals are being respected and when they are not. And we need ways to move about the net anonymously, and to submit identifiers only on a need to know basis, and then in ways we control.
It helps to realize that technologies are extensions of ourselves. They enlarge our agency: our ability to act with full effect in the world. Think of how we use the possessive pronouns my, hers, his and theirs when we speak of the tech we use, and the private capacities and spaces our technologies already define. A person says "These are my clothes", and "This is my house" or "my room". A driver says "This is my car", and a rider says "This is my bike." A pilot speaks of her wings, because her senses extend outward through the tech to the perimeters of the tech's shape and influence. When we swing a hammer expertly, that tool is a literal extension of the body, giving us power we otherwise would not have to pound nails through wood.
We've had tens of thousands of years to make privacy well understood and non-controversial in the natural world. We've had just a couple decades to do the same in the networked world. Now, in the regulatory easements the GDPR has opened up, we can start to develop new tech that not only protects our privacy natively, but projects outward personal powers we hadn't bothered to imagine in a world ruled by corporate and government giants.
Is the GDPR just about data?
Not any more than your body is about blood, or business is about money.
Data is the focus of the GDPR, however, because data is what has been harvested from us by countless companies and governments, with great abandon, and with great injury to the way society works online (especially through giant "social networks").
But agency is the issue. Having the power to control one's life and relations with others online is the larger context, and full agency gives us that. If we focus only on data, we stay one level below agency and risk getting stuck inside old arguments and making no progress where it counts.
Is my data really still mine after it has left my exclusive control?
Nature didn't come with ownership any more than it came with privacy. We had to invent both as concepts, instantiate them with technologies and develop laws respecting what both mean as collections of rights. The GDPR is an example of the last of those. It would have been good if we developed the tech before we developed the policy, but we were slow with the tech, so we got the policy first.
And now here we are, with heaps of personal data out there in the world, with a great un-clarity about who owns what, meaning who has a right to do what with the data they have.
In My Data, Your Data, Our Data, Their Data, Everybody’s Data, Iain Henderson offers this graphic as a way to start showing how much "my data" matters, beyond the protective scope of the GDPR:
He explains that "this categorization is based on provenance, i.e. what is the nature and source of a specific piece of data. It is not about saying a data attribute has to live in one bucket or another; in fact quite the opposite; for example, Alice’s home address can be found in each of these buckets, with different use characteristics and implications depending on which it is being sourced from for any specific use", adding, "My Data, when delivered at scale in standardized ways is the true game changer...for both individuals and organisations. The current data / systems architecture in which organisations are the holders of the customer-supplier relationship record does not make sense when a solid alternate built around the individual is possible."
As an example, he writes, "If individuals had smartphones 25 years back then, the model that would have evolved would have been one on which the individual held the relationship record and the relevant organisations subscribed and published to that; that’s by far the more technically efficient model."
Is it possible to actually escape all the corporate silos in which we now seem trapped?
It's not only possible, but inevitable. We centralized in giant corporate silos because the model of industrial scaling and mass marketing has been pro forma ever since industry won the industrial revolution. Amazon does with online retailing what Sears did with selling through catalogs. Google does with search what Standard Oil did with fossil fuel.
But the internet is a wide-open non-space where anybody can not only deal with anybody, but get scale of their own across any number of other entities. That's Iain Henderson's point under the question above.
Think, for example, of what can be done in the commercial marketplaces where we currently have to contend with thousands of "martech" companies: ones marketing at us, in thousands of different ways. We can start coming at that mess with #customertech: tech of our own that gives us scale across all the corporate entities we deal with in the open marketplace. For more on the possibilities here, see Customertech Will Turn the Online Marketplace Into a Marvel-Like Universe in Which All of Us are Enhanced. Enhanced by new tools, we can, for example (sourcing that last link)—
- Make companies agree to our terms, rather than the other way around.
- Control our own self-sovereign identities, and manage all the ways we are known to the administrative systems of the world. This means we will be able to —
- Get rid of logins and passwords, so we are simply known to others we grace with that privilege. Which we can also withdraw.
- Make the Castle Doctrine apply in the networked world, and turn browsers into the private vehicles they should have been in the first place.
- Change our email or our home address in the records of every company we deal with, in one move.
- Pay what we want, where we want, for whatever we want, in our own ways.
- Call for service or support in one simple and straightforward way of our own, rather than in as many ways as there are 800 numbers to call and punch numbers into a phone before we wait on hold while bad music plays.
- Express loyalty in our own ways, which are genuine rather than coerced.
- Have an Internet of MY Things, which each of us controls for ourselves, and in which every thing we own has its own cloud, which we control as well.
- Own and control all our health and fitness records, and how others use them.
- Help companies by generously sharing helpful facts about how we use their products and services — but in our own ways, through standard tools that work the same for every company we deal with.
- Plus lots more already in the works here.
- Have wallets of our own, rather than only those provided by platforms.
- Have shopping carts of our own, which we can take from store to store and site to site, rather than ones provided only by the stores and sites themselves.
- Have real relationships with companies, based on open standards and code, rather than relationships trapped inside corporate silos.
All of those were barely more than imaginable prior to the GDPR. Now a strong sense of possibility is heating up under all of them. And in many cases there is already work underway.
Why is my data better than the same data held by others?
Iain Henderson again:
The upcoming change is therefore not going to be driven primarily by regulation (and the associated huge fines) or even advanced concepts such as Privacy by Design. It will be driven by simple economics and efficiency; the best data-set available on an individual will be that controlled by the individual; i.e. My Data. "Best data" in this context means:
• Most accurate
• Most up to date
• Most compliant with relevant legislation globally
• Least costly to manage and use
• Readily accessible with modern technologies
• Future looking and future proof
What that means in practical terms for both parties is that there will be a migration from the Organisation Push model to Customer Pull; demand will drive supply, not the other way around. That will eliminate huge amounts of guesswork and waste from over-production of goods through to the enormous time and money sink that is direct marketing and online advertising.
How do I get back data that's been collected about me?
Every EU country has its own approach. In the UK, you do it with a Subject Access Request. TechRepublic has a good guide here.
We'll post more here when we know more. Again, you can help. Criticism is welcome, but contributions more so.
What about metadata that's already been processed?
That's moved in to the Their Data territory, and your right to that is a lot harder to establish. Better to go for the low-hanging data fruit that's unambiguously yours. At least in the short term.
What does this mean for UX, or User eXperience?
It means it should finally be yours. An experience cannot only be one "delivered" to you.
In a post-GDPR world, you're not just a user. You're a controller.
It's interesting that the GDPR says a data controller can be what they call a "natural person". While the EU may have been talking about something else (such as a one-person operator in the marketing matrix), we each are in fact natural persons who should be able to control our own data.
Think about the experience of driving a car or riding a bike. Obviously the experience will be better in a good car or a good bike than it will be in bad ones. But the experience is still yours.
How about what marketers call CX, or Customer eXperience?
Marketers don't know it yet, but the GDPR means you get to take over your experience of the marketplace online now.
And let's face it: being entirely in charge of the customer experience is not only a huge burden on a company (no matter how well they do it, or what help they get from their CRM suppliers), but a giant slowdown for everybody.
Isn't the GDPR just another example of government interfering with private markets?
It's always best when tech takes the lead and laws follow. But tech didn't, at least when it came to privacy. So regulators stepped up where tech didn't, and here we are. We could have gotten a lot worse than the GDPR. Let's make the most of it.
Isn't the GDPR just another PITA for everybody?
Yes and no.
Yes, it's certainly a PITA for us, and for every company that has a list of subscribers. That's why you're getting all those "opt back in" emails from lists you subscribe to. Including ours.
But have you noticed that this is actually a great way for you both to get rid of email subscriptions you'd rather not have, and noticing which email lists aren't bothering to give you the option? Nice "hmm" there, no?
It's also good for companies to clean up their lists.
Yet that stuff is nothing compared to what will happen when developers see all the ways people can do more with their own data than companies ever could. It'll be just like we saw with computing (which wasn't personal until the 1980s), with networks (which weren't ours until we got the net in the mid-1990s) and with mobile devices (starting with phones that run apps in 2008—and that revolution's still only getting started).
Look, it's Privmas Eve. We just got this idea and put up what we could in the time we have. After Privmas, we'll keep adding to it and improving it. Again, help us out.