Tech giants are scrambling to update their systems and online services in anticipation of the EU’s General Data Protection Regulations (GDPR), which will become European law on 25 May 2018. In accordance with the GDPR’s age of consent to allow personal data collection, WhatsApp recently announced the minimum age for using the popular application will be raised to 16 years old. The new policy featured on the companies FAQ page is one of the latest updates to come from major online platforms.
Other media companies have also been rolling out tools that will allow their terms of service to comply with GDPR. Several days ago, Instagram told technology reporting outlet TechCrunch that the platform is in the process of creating “a new data portability tool” to download all the content a user has ever put up on the site. “You’ll soon be able to download a copy of what you’ve shared on Instagram, including your photos, videos, and messages,” said an Instagram spokesperson.
Another notable example is the series of policy changes made by the giant of social media, Facebook. The company recently announced new policies that prevent applications designed to interact with Facebook to take actions on behalf of users, since many of these actions involve access to private user information. For example, they will no longer be able to RSVP to events on behalf of Facebook users or publish posts on Facebook as the logged-in user, among a raft of other new limitations. Because Facebook is a major tool in the business world, it’s difficult to understate how disruptive policy changes to the platform can be for developers and e-commerce companies. Understanding how detrimental limiting information access could be for app creators and business marketing tools, Facebook set up a page containing a “Platform Review Form” to address the slew of questions and inquiries that will most definitely come as a result of these rule changes.
These examples are hardly a new phenomenon. From late 2017, big internet companies were already announcing significant changes to their service policies in response to GDPR requirements. Google started letting users choose what data they want to share with its various products. Amazon began improving data encryption on its cloud storage service. In some cases, companies have removed products entirely from the European market because they would violate the new privacy rules. But now that the enactment of GDPR is imminent, changes to some of the biggest platforms on the web are going to be more hard felt.
That’s not to say that all policies will be super restrictive to users. In fact, in many cases, it’ll be easy to circumvent them. With WhatsApp’s new age restriction, for instance, there’s no indication that the app will require a user to prove their age. Because it’s confident WhatsApp-loving teens won’t have any trouble circumventing the new minimum age limit, the company probably saw no real risk to its business—teenagers will easily ignore the rules. The same applies to a similar parental control rule codified by Facebook, requiring users under 16 to “nominate” a parental figure to oversee their activity. The system Facebook has concocted to enforce this is just plain laughable, merely requiring that teens select one of their Facebook friends as the guardian or enter an email address—which could literally be an alternative email address they themselves created for that purpose.
Compliance GDPR-Style
While some rules are more “flexible” than others, we’re clearly beginning to see a substantial increase in these types of alterations to internet services. The fact that all of these companies are also based in the US should give any half-awake American company some pause, and begin to dispel the notion that GDPR is a European problem.
What is common about all of these new rules is that companies are attempting to cover themselves. The trend that we’re seeing develop at an exceedingly fast rate is exactly what the European Commission wanted to happen—namely, companies redesigning their own services and infrastructure to comply with the new rules.
The New Regulation Model
GDPR is all about system-wide accountability. This is, unfortunately, a relatively new idea in the world of IT. Getting some type of broad consensus on what accountability means has been a difficult process. This is only compounded by the fact that data is a global issue, and one set of rules for one country does not affect another. GDPR is really the first attempt to bring everyone on the same page of the issue. And by everyone, they mean everyone.
Let’s try to break this down.
The GDPR is an embodiment of a new brand of data regulation that seeks to promote a paradigm shift in regulations. This philosophy has come to be known as Safety by Design, or SbD, and has made important inroads into fields from engineering to management.
SbD is the latest stage in the evolution of regulation codes. Ever since people began to realize how dangerous our technology was becoming, regulations have been a part of the fabric of legal systems in every developed country. These rules started off regulating what people can do with things. Then they moved into determining who is allowed to operate them. Eventually, regulations went even deeper and began mandating how things were to be manufactured in the first place. This is really a good place to be at for two reasons. First, it ensures a certain amount of safety from the get-go. Second, it opens up the door for more freedom to actually use things once they’ve been manufactured—there’s a measure of confidence in the stability of the product or service. For instance, we can feel more comfortable with deploying more cars knowing that one of them won’t spontaneously combust on the highway.
But Safety by Design has been tricky when it comes to information technology. This is largely due to the firmly entrenched patterns that guide IT development. In the design stages of every level of this technology, from hardware to programs, to the systems that govern the movement and storage of data, the guiding objective is deliverability. In other words, developers are asking “let us get IT to perform a certain task.” This then morphs into scalability, or how the product can be implemented at increasingly larger scales. Then comes reliability, ensuring that devices and systems are going to be capable of supporting operations for the long-term. The question of how to make systems secure and compliant with regulations is usually last on the list. This pattern usually emanates from systemic organizational issues in the firms and corporations coming up with product innovations. Each aspect of development is dealt with by a distinct department, with one team being in charge of technical issues, another with business scalability, and yet another on regulatory compliance. Thus, the progress of these different aspects of a project does not necessarily advance in sync. What emerges is a product that was not fully designed with safety in mind.
It was this systemic feature of IT that GDPR was coming to address by force. GDPR, with its massive fines for non-compliance and heavy requirements for the way companies interact with clients’ personal data, was essentially saying to companies, Get your act together or else. The text of the legislation—most notably the infamous Article 25—is filled with requirements for companies to reorganize basic aspects of protocol and infrastructure to achieve Safety by Design. On the technical side, businesses are expected to adopt procedures by which personal data is always under several layers of protection, such as pseudonymization and encryption. On the organizational end, companies must have strict guidelines to determine any interaction with sensitive information including “the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.” This means that companies have to be meticulous in tracking any feature of their products that have to do with collecting or accessing personal info—hence, the changes to terms of service to that are appearing at an increasingly fast rate.
Global Reach
The second aspect that makes GDPR unique is how its rules apply incredibly broadly. Article 3 of the GDPR says that if a company collects personal data or behavioral information from someone in an EU country, the organization is subject to the requirements of the GDPR. This means that any company with an online presence (which is pretty much any company) trying to cater to Europeans is affected by these rules.
The recent moves by WhatsApp and other big names in tech to alter their services are just the beginning. Realistically, many online firms will only begin to make changes once GDPR becomes law and the consequences of non-compliance become clearer.
Hopefully, the broader spectrum of American firms can take a cue from recent news, something that will make the transition into the GDPR era a bit easier for everyone.
