In recent days, emails from various companies, applications, services and websites that you have ever used or where you started accounts regularly fall on the mail. The letters are about the same - they report a change in privacy policy and explain how the company processes personal data.
We
have already written about what exactly is changing in the data processing policies of large IT companies: WhatsApp, Facebook, Instagram and Twitter. Now we understand why dozens of letters from many services began to arrive just now, after a formal deadline of GDPR, why not all companies were able to prepare for the transition in a timely manner and what problems they faced.
/ photo Dennis van der Heijden CC BYWhat's happening
On May 25, the GDPR - General Data Protection Regulation entered into force. It regulates the protection of personal data of residents of EU countries and replaces the Data Protection Directive, a 1995 directive.
GDPR affects everyone, because it applies not only to companies registered in the European Union, but to everyone who stores, processes and uses PD of EU citizens.
Companies started preparing in advance, whose business models are highly dependent on working with PD - for example, Facebook even before entering the GDPR
told what will be done to comply with the new regulations: all users will be offered to review their privacy settings. They will also be able to choose for themselves whether they are ready to share their information for the purposes of targeted advertising, and if so, which one. In addition, the social network
planned to return face recognition, which was disabled by a court ruling that the social network toolkit violates personal data laws.
But not all companies reacted to the new regulations with the same increased attention. In April, Ponemon Institute conducted a survey among thousands of companies, half of which
admitted that they would not be ready by the deadline. Among the IT companies such turned out to be 60%.
As a result, many people really could not fulfill the requirements of the regulations on time - although the deadline was known for a long time (the final version of the GDPR was published 2 years ago). According to a survey conducted by a European company TrustArc a year ago among two hundred businesses from different countries and industries, 61% of the companies had not even
begun to prepare for GDPR.
Why is it so hard to match
Many companies did not have time to deadline, not only because they decided to postpone everything until the last. There are several relatively objective reasons.
The law is very complicated
And sometimes it intersects with local legal acts relating to the processing of personal data. Lawyers point out that the regulations of the regulator are
really very difficult to understand - and even more so to rebuild your business so that they meet.
For example,
some of the wording in the key points of the law provoked heated debate: consent to the use of ordinary personal data should be “unambiguous” (that is, unambiguous, understandable, unambiguous), and consent to the use of “sensitive” personal data - “explicit” (clearly marked , exhaustive).
But is there a difference between these two definitions and, as a result, the two “consents”, and if so, what and in what way should it be expressed in the annex to the practice? The question is not at all idle - it depends on the correct (from a legal point of view) answer to it, for example, how it is possible and how it is impossible to draw up checkboxes in the interfaces that indicate the user's consent to the PD processing.
/ image Giulia Forsythe PDIn addition, the law does not take into account local specifics: for example, different countries have different attitudes to personal data. This is partly why many parts of the law are deliberately streamlined — which
creates space for the diversity of its interpretations.
And even some items of the GDPR
contradict , for example, the Russian No. 152-FZ “On Personal Data”, which also creates difficulties for Russian companies, which in one way or another collect and use PD of European citizens.
Restructuring processes
And not only from the point of view of technology, but also from the point of view of business. Some companies are afraid that if they tell users exactly how they use their personal data, people will never give them to them.
Therefore, the approach that Facebook has implemented to obtain user permission ultimately
criticized : the whole way the user motivates him to quickly agree with the new rules and continue to share his information with the service.
The "Agree and continue" button is the most beautiful and noticeable, and the opposite solution is already difficult: "Manage data settings." If you click on it, Facebook will try to first convince the user to leave everything as is. In addition, Facebook makes it impossible for a user to share some personal information on his page, but does not allow social networks to use this information for promotional purposes.
In addition, small and medium businesses often simply
do not have the technological and human resources to sort out the requirements of the law and make all the necessary preparations - therefore, for them the process of bringing all systems in line with the requirements of the GDPR becomes very expensive.
The law no longer takes into account new technologies.
The regulation was developed and adopted for several years, so many ideas about the current state of technology in it are already outdated: for example, it is not clear what to do with Big Data and machine learning.
So, the GDPR
requires transparency from machine learning algorithms — developers should be able to explain why the algorithm made a decision. In other words, the law prescribes that the user at any time can receive a detailed explanation of the mechanism of using his personal information in order to make an informed decision whether to agree to this or not.
In the case of algorithms on machine learning, this is
not so easy to do - why AI systems take exactly this decision at this particular moment, even its engineers sometimes cannot explain. This is not regulated by the GDPR. And such things will become more and more - the law will have to be constantly updated, but in fact the right will always lag behind the development of technology.
The most difficult were the companies that develop smart assistants - Google Assistant, Alexa, Siri.
These services always (albeit in the background) listen to everything that happens around them - in order to “wake up” at the right moment and execute the command on the code word. The technology is still imperfect - for example, not so long ago, Amazon ran into an unexpected
problem : Alexa periodically began to laugh, because she understood “Alex, laugh” in her speech.
It sounds “funny”, but within the framework of the GDPR this situation is a gray zone, which is not yet clear how to control. Formally, smart assistants do not record sound and do not transmit it anywhere - but the recent case with the same Alexa, which, due to a technical bug,
transmitted audio recording of a personal conversation of house residents to one of the contacts in the phone book, shows that the situations are different.
In such cases, everything will depend on whether or not the users suffered as a result: for example, if the information was not used and the service “reacted” quickly and deleted it. Alexa developers themselves have
promised to improve their voice recognition algorithms so that such an unlikely event will not happen again.
/ photo Oliver Henze CC BY-NDHow the work of such services will be regulated from the point of view of compliance with the GDPR is not yet clear. Experts and journalists agree: it is likely that such services will have to get consent from users that the smart assistant always listens, always records and,
possibly , transmits information to third parties.
What will happen
What is waiting for companies that did not manage to bring business processes into compliance with the law or violated it? Some believe that on May 25 there was a “soft launch”, and the regulator will not pursue companies that did not have time to deadline (especially if they have objective reasons for that). Although the penalty for non-compliance with the regulations has already been designated, and it is very significant - up to 4% of the company's annual revenue.
There is, however, a difficulty - not all control now rests solely on the regulator. The users themselves also have the power: for example, they may require the service to obtain, modify or delete all their PD. If these processes are not established and the service technically cannot meet the user's requirements, there is a risk of litigation, which the user may well win.
Many experts still believe that the market will not be able to fully comply with the requirements of the GDPR At least, because the sphere is strongly under-researched - the law, although correct in its intentions, does not affect many important cases and ways of using and storing personal data. If such studies (detailed and detailed) still appear, they will become a good basis for the finalization of the law.
However, the emergence of GPDR is an important indicator of the shift in priorities. Previously, personal data management was the “shadow component” of almost any business, and companies could manage them as they pleased, but now users finally got at least some tools to control their own data on the Web.
PS What else do we write in the First blog about corporate IaaS:
PPS Some materials on the topic from our blog on Habré: