What do a host of EU institutions and data protection authorities, upwards of thousands of lawmakers and the chair of the UK Parliamentary committee tasked with investigating Facebook have in common?
They are all operating in contravention of the GDPR (at least they would be if the GDPR applied to their activities as it applies to private organizations).
Of course, lawmakers and institutions aren’t just harvesting users’ data.
They are on one-hand endlessly disparaging social media platforms to further their own careers and political objectives, often via grandiose or theatrical public hearings, while on the other hand taking advantage of every feature said platforms have to offer.
Numerous governmental websites, including Gov.uk and Europa.eu, are serving like buttons, share buttons, video embeds or analytics scripts to their users.
Some of this content, when requested from their websites, shares swathes of data with the third-party platforms that are, on any politically advantageous day, primary targets for lawmakers’ ire.
Some lawmakers have also determined that public bodies should be able to infer consent under the GDPR while others have determined they aren’t subject to the same laws private organizations are subject to but regulations that broadly mirror the new privacy regulations (albeit with important caveats).
Lawmakers and institutions have also determined they aren’t subject to the same level of fines private organizations are subject to and they have crafted new legislation that extends the definition of what is or is not a lawful basis for their own data collection efforts.
Moreover, none of the lawmakers’ websites we’ve analyzed stipulate a lawful basis for each processing activity, preferring instead to bundle all activities under a collection of bases e.g. consent, legitimate interest and “public task”.
We don’t need to venture far to see the hypocrisy in action:
- France’s data protection authority, The National Committee on Informatics and Liberty, is serving third-party content from Twitter;
- Irish Senators have recently engaged in a debate that questioned whether public bodies can infer consent;
- The Data Protection Act 2018 provides public officials the opportunity to collect users’ data providing they can prove it was done to “further democratic engagement”;
- The EU is serving spreadsheets containing hundreds of users’ names and email addresses from its website;
Of course, EU institutions don’t even need to comply with the General Data Protection Regulation but a regulation that comes into force later this year. Under that regulation, EU institutions can be fined 500,000 EUR but only “as a last resort”.
Under the GDPR, private organizations can be fined upwards of 20 million EUR or 4 percent of annual turnover, whichever is higher.
Meanwhile, as lawmakers and institutions wield a heavy hand from up high while failing to comply with their own rules, private organizations have been turned upside down by the GDPR, with popular forums and social networks awash with perplexed webmasters confused by how the GDPR applies to their activities.
While the activities of Google, Facebook and other large tech organizations may be the motivation behind the new far-reaching privacy regulations, with upwards of hundreds of thousands of personnel at their disposal they are unlikely to be disproportionately affected by them.
Rather, it’s startup organizations with little to no resource, let alone the time or legal expertise to devote to interpreting 99 Articles and 173 Recitals of impenetrably vague legalese, that will likely feel the harshest burden, at least on a relative basis.
As we’ve already witnessed, Google has liberally interpreted its role as that of a mere data processor for many of its services, thus placing the burden of obtaining consent, as well as the technological solutions that must be implemented to do so, onto SMEs.
Therefore, SMEs reliant on Google’s services to, for example, track the effectiveness of their marketing spend, or to monetize their web presence, are left in a land of subjective legal interpretations and ifs, buts and maybes.
They are left to interpret a vague regulation, with the promise that another vague regulation is forthcoming in 2019 (the ePrivacy regulation), while public institutions squabble with internet platforms over the moral legitimacy of their services and theoretical issues entirely divorced from any practical realities on the ground.
The problems are heightened by the vague definitions outlined in the new regulations. For example, according to Professor Lilian Edwards, an expert in internet law, the modern definition of personal data is “beginning to swallow everything”.
Moreover some academics, like Nadezhda Purtova, have even gone as far as to claim that it’s “impossible” to comply with the regulation. In her paper titled “The law of everything: Broad concept of personal data and future of EU data protection law”, Purtova states:
“…European data protection law is facing a risk of becoming ‘the law of everything’, meant to deliver the highest legal protection under all circumstances, but in practice impossible to comply with and hence ignored or discredited as conducive to abuse of rights and unreasonable”.
It becomes more challenging for SMEs when personal data isn’t just defined as what’s collected but what can be inferred from what’s collected i.e. what it says about an individual if they visit a particular website or engage in a particular activity.
Many developments need to occur before it becomes clearer how the GDPR applies in a practical sense however, until that point, SMEs can sleep easier knowing that those who enact and enforce the regulations that have precipitated widespread upheaval across the web are just as incapable of complying with the regulation as they are.