Happy GDPR day.
The GDPR is a big deal. It encodes significant personal and private data
rights for EU subjects, including, among others:
Organizations that process personal data, referred to as “data controllers,”
accept serious responsibilities to respect those rights, and to protect the
personal data they process. These responsibilities include, among others:
The regulations have teeth, too; fines for non-compliance add up to a
considerable financial penalty. Failure to notify in the event of a breach, for
example, may result in a fine of up to €20 million or 4% of global revenue,
whichever is greater.
There’s a lot more, but the details have been extensively covered elsewhere.
In contrast, I want to talk about the impact of the GDPR on the internet
products and services.
In my GDPR advocacy for iovation, I’ve argued that the enshrinement of
personal data rights marks a significant development for human rights in
general, and therefore is not something to be resisted as an imposition on
business. Yes, compliance requires a great deal of work for data controllers,
and few would have taken it on voluntarily. But the advent of the GDPR, with
application to over 500 million EU subjects, as well as to any and all
organizations that process EU subject personal data, tends to even out the cost.
If the GDPR requires all companies to comply, then no one company is
disadvantaged by the expense of complying.
This argument is true as far as it goes — which isn’t far. Not every company
has equal ability to ensure compliance. It might be a slog for Facebook or
Google to comply, but these monsters have more than enough resources to make it
happen. Smaller, less capitalized companies have no such
luxury. Some will struggle to comply, and a few may succumb to the costs. In
this light, the GDPR represents a barrier to entry, a step in the inevitable
professionalization of tech that protects
existing big companies that can easily afford it, while creating an obstacle to
new companies working to get off the ground.
I worry that the GDPR marks a turning point in the necessary professionalization
of software development, increasing the difficulty for a couple people working
in their living room to launch something new on the internet. Complying with the
GDPR is the right thing to do, but requires the ability to respond to access and
deletion requests from individual people, as well as much more thorough data
protection than the average web jockey with a MySQL database can throw together.
For now, perhaps, they might decline to serve EU subjects; but expect
legislation like the GDPR to spread, including, eventually, to the US.
Personal data rights are here to stay, and the responsibility to adhere to those
rights applies to us all. While it might serve as a moat around the big data
controller companies, how can leaner, more agile concerns, from a single
developer to a moderately-sized startup, fulfill these obligations while
becoming and remaining a going concern?
Going forward, I envision two approaches to addressing this challenge. First,
over time, new tools will be developed, sold, and eventually released as
open-source that reduce the overhead of bootstrapping a new data processing
service. Just as Lucene and Elasticsearch have commoditized full-text
search, new tools will provide encrypted data storage, anonymous authentication,
and tokenization services on which new businesses can be built. I fear it may
take some time, since the work currently underway may well be bound by corporate
release policies, intellectual property constraints, and quality
challenges. Developing, vetting, releasing, and proving new
security solutions takes time.
Commercial tools will emerge first. Already services like Azure Information
Protection secure sensitive data, while authentication services like Azure
Active Directory and Amazon Cognito delegate the responsibility (if not the
breach consequences) for secure user identities to big companies. Expect such
expensive services to eventually be superseded by more open solutions without
vendor lock-in — though not for a couple years, at least.
I’m into that, even working on such tools at work, but I suspect there’s a
more significant opportunity to be had. To wit, never underestimate the
ingenuity of people working under constraints. And when such constraint include
the potentially high cost of managing personal data, more people will work
harder to dream up interesting new products that collect no personal data at
Internet commerce has spent a tremendous amount of time over the last 10 years
figuring out how to collect more and more data from people, primarily to
commoditize that information — especially for targeted advertising. Lately,
the social costs of such business models has become increasingly apparent,
including nonconsensual personal data collection, massive data breaches and,
most notoriously, political manipulation.
So what happens when people put their ingenuity to work to dream up new products
and services that require no personal data at all? What might such services look
like? What can you do with nothing more than an anonymized username and a
properly hashed password? To what degree can apps be designed to keep personal
data solely on a personal device, or transmitted exclusively via end-to-end
encryption? Who will build the first dating app on Signal?
I can’t wait to see what creative human minds — both constrained to limit data
collection and, not at all paradoxically, freed from the demand to collect ever
more personal data — will come up with. The next ten years of internet
inventiveness will be fascinating to watch.