It's European Data Protection Day on 28 January. The Council of Europe was celebrating the 12th edition of the day commemorating data protection. This year’s event focused on a topic which caused a lot of excitement in the last ten months: the General Data Protection Regulation (GDPR).
On 28 January 1981, the “Convention for the protection of individuals with regard to automatic processing of personal data” was signed, regulating the protection and cross-border exchange of personal data. On each anniversary of this day, many actions, webinars and presentations take place all over Europe to raise the EU citizens’ awareness of data protection. Since 2008, the Data Protection Day has also been celebrated in the USA and Canada.
This year, most contributions centered around one particularly hot topic: the General Data Protection Regulation (GDPR). After two years of preparation, it came into force on 25 May 2018. But what has happened since? Where are the challenges, for example regarding new technologies such as artificial intelligence?
No flood of cease and desist letters
The GDPR primarily aims at consumer protection. Companies and website owners now have to tell the users what they know about them. Users have a “right to be forgotten” and can demand erasure of their data at any time. From the point of view of data security, this harmonization of data protection regulations in the EU is certainly a success. However, the new regulation brings major challenges above all for small-sized enterprises and associations.
Shortly after the introduction in late May 2018, the journalist Enno Park tried to find out how many blogs and platforms had closed down. More than 300 (now ex-)bloggers came forward on Twitter. He estimates the number of unknown cases to be at least ten times this figure. However, the dreaded flood of cease and desist letters and insolvencies did not materialize.
The Atlantic blockade
While large website operators were mostly geared towards a data protection-compliant Internet presence, some websites were offline shortly after introduction of the GDPR. Some US-American operators had completely omitted to prepare for the new situation and simply blocked all users with a European IP address. Now, after the first months of GDPR, the ‘Atlantic blockade’ issue continues: American providers are still restricting their services, charge access fees, or block all European users. This is only one of the reasons for Cultural scientist Michael Seemann‘s concerns that the Regulation will result in a “de-digitalization” of Germany. He says it caused Germans uncertainty and made them too afraid to operate a website of their own.
Despite all negative reports, the GDPR brought various benefits for the consumers. For example, every company must now have a data security officer who verifies that the statutory requirements are met. A fine of up to four per cent of the annual sales may be imposed in case of violations. Consumers can always address any complaints they may have to the data protection authority of their own member state rather than to recipients in the country of the company.
Artificial intelligence and the GDPR – a challenge?
For artificial intelligence, however, the GDPR is a huge challenge. Machine learning is based on big data analysis. This is complicated by Article 22 of the General Data Protection Regulation: It specifies a person’s right “not to be subject to a decision based solely on automated processing, including profiling”, which produces “legal effects concerning him or her or similarly significantly affects him or her”. (Go to Heise to learn more)
The GDPR has scared the hell out of many companies, even long before it came into being 10 months ago. At the same time, however, it improved the situation of consumers and the protection of their data. The best advice is to accept the Regulation with equanimity and to laugh at the red tape absurdities produced by this jumbo of an administrative feat.
- The 12th European Data Protection Day took place on 28 January; this year, the focus was on the General Data Protection Regulation.
- The main goal of the GDPR is the protection of the consumers and their personal data.
- For artificial intelligences, the GDPR is a major challenge: Machine learning involves the collection and use of huge data volumes. Accordingly, users must generally be informed in detail about how their data will be used.
Update February 11, 2019: Google must pay a fine of 50 million euros for several violations of the DGPR. This was decided by the French authority CNIL because Google violated the principle of transparency and did not obtain valid consent for the processing of data. Find out more.