--- title: Beyond GDPR date: 2024-03-22 tags: [privacy] description: When the General Data Protection Regulation (GDPR) came into effect throughout the EU in 2018, it pushed the boundaries of privacy regulation world wide. In this article I am trying to explore what I would like to see in the next iteration of privacy regulation. --- When the General Data Protection Regulation (GDPR) came into effect throughout the EU in 2018, it pushed the boundaries of privacy regulation world wide. It enshrined principles such as *data minimisation* or the right to *data portability* into law. In my work I often deal with the GDPR. And while I honestly think it is a great step forward, I also have some grievance. So in this article I am trying to explore what I would like to see in the next iteration of privacy regulation. Obvious disclaimer: I am not a lawyer and have no clue what I am talking about. ## What is personal data? [Art. 4](https://gdpr-info.eu/art-4-gdpr/) and [Recital 26](https://gdpr-info.eu/recitals/no-26/) define that data is *personal* data if it can be linked to a natural person. [Art. 9](https://gdpr-info.eu/art-9-gdpr/) defines what "special categories" of personal data are. I have several issues with this definition: - Whether data can be linked to a natural person is not always clear cut. For example, consider IP addresses. Those are usually handed out by ISPs who have contracts with their users. So by checking the ISP's database you could link an IP address to a natural person. But is it reasonable to assume that you can access that database? To quote Recital 26: > To ascertain whether means are reasonably likely to be used to identify > the natural person, account should be taken of all objective factors, such > as the costs of and the amount of time required for identification, taking > into consideration the available technology at the time of the processing > and technological developments. I understand why this is so whishy-washy, but that doesn't change the fact that it is. - Data about one person can have implications for another person. Example: Relatives share parts of their DNA. Should a single person even be allowed to decide about their own data if it affects others? - The decision whether something is personal data is binary. If data can be linked to a single person, it is personal data. If it can be linked to a small group of people, say two, all of these rules no longer apply. That doesn't feel right. For example, this definition does nothing to prevent micro-targeting. An alternative approach could be [k-anonymity](https://en.wikipedia.org/wiki/K-anonymity). - The sensitivity is also binary in this framework. Data either contains special categories or not. A single record of a heart attack or 50TB of MRI imagery, it's all the same to the GDPR.[^1] I don't have the perfect definition for personal data either. But the GDPR has pushed to envelope once. I wish that it can do it again and introduce an even better model. [^1]: The GDPR does have a more nuance perspective on data sensitivity when it comes to fines (see [Art. 83](https://gdpr-info.eu/art-83-gdpr/)). ## Easy to understand I really like how the GDPR tries to be easy to understand. But I quickly found things I didn't understand or that seemed outright contradictory to me. Let me give you some examples: For most of my usecases, [Art. 6](https://gdpr-info.eu/art-6-gdpr/) boils down to: "If you have a contract with someone, you can safely process their data as long as it is required for the contract. For anything else, you need consent that was freely given and can be revoked at any time." Clear guidelines, easy to understand. [Art. 9](https://gdpr-info.eu/art-9-gdpr/) explains that actually, there are "special categories" that follow a slightly different set of rules. Basically, a contract is not enough and you always need consent. It would have been nice if this exception had been mentioned in Art. 6. But there is also a contradiction here, right? How can I "freely give" consent that is required for a contract? Say you are caught in a kafkaesque legal battle and your sleazy lawyer wants to know all of your secrets. Do you really have a choice in that situation? It cannot be required and freely given at the same time, or am I missing something? [Art. 17](https://gdpr-info.eu/art-17-gdpr/) defines the *right to be forgotten*. "You are allowed to demand the deletion of all your data from anyone." That sounds nice, doesn't it? But it's not what that article actually says. It just repeats that data processing is only allowed under specific conditions, and that your data must be deleted if those conditions are no longer met. I honestly don't know why this article exists, it just seems so redundant. Maybe this article is meant to clarify some gaps in the previous rules, e.g. that withdrawing your consent by default only affects future data processing, and that you can demand deletion of already existing data in addition to that. But even then I find it weird that these clarifications come several articles later instead of simply providing a complete definition of consent from the start. [Chapter 9](https://gdpr-info.eu/chapter-9/) then goes on to list a whole lot of additional exceptions. Or rather, it lists cases in which national law might overwrite the GDPR. So in order to know whether any of this applies you have to check the entire national law. I am sure there are explanations for everything I don't understand. I guess that regulation like this has some degree of inherent complexity. But there are also some obvious improvements that could be made, either by changing the structure of the text or by providing auxiliary material. ## Restrictions on data propagation GDPR contains plenty of restrictions for processing data. But once someone has your data, there are next to no restrictions on who can access it. If you give your data to a company with 10.000 employees, all of them can now legally access that data. Heck, the company can also pass the data to subcontractors. One of the [principles](https://gdpr-info.eu/art-5-gdpr/) of the GDPR is "data minimisation", which is super important to limit the attack surface. But to my knowledge there are basically no concrete rules that actually enforces this. As an example: A local film festival recently started to sell their tickets exclusively via a third party online platform. Before that, it was possible to buy tickets anonymously in cash. Now you have tell that platform what movie you want to see. It is reasonable to assume that they are hosting their databases on AWS, so the whole of Amazon can probably also see that. And the GDPR doesn't protect you from any of it. ## Focus on principles instead of compliance The GDPR is based on some truly great principles, for example: - [data minimisation](https://gdpr-info.eu/art-5-gdpr/): You can only process data if it is required for a given purpose, must not use it for anything but that purpose, and need to delete it once that purpose has been fulfilled. - [data portability](https://gdpr-info.eu/art-20-gdpr/): You can freely migrate from one platform to another and take all your data with you. - a very progressive [definition of consent](https://gdpr-info.eu/art-7-gdpr/) that requires plain language and even considers an imbalance of power. Unfortunately, none of that really materialized. The GDPR should have smashed targeted advertising and centralized social media. Instead, companies were told that they can continue as before as long as they fill out some paperwork and add cookie banners to their websites. Some time ago I saw a website that had been build by a young colleague of mine (I won't name names). It had no cookies. It had a cookie banner. They had come up in a world where every "respectable" website had a cookie banner, so they thought that having one was a legal *and aesthetic* requirement.[^2] I am not sure what exactly went wrong here. The power of advertising companies such as Google and Facebook certainly played a role. But I also blame the EU. With the benefit of hindsight, I hope that they can come up with a better communication strategy next time around. [^2]: I understand that cookie banners are often actually required by GDPR, but by the [ePrivacy directive](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02002L0058-20091219). But the point that the underlying principles got lost somewhere still holds. ## Wild idea: make it a tax Imagine if companies had to pay taxes on the size of their database. I can easily come up with a justification that contains enough buzzwords to sway your average politician: *In these trying times full of ransomware and cyber terrorism, storing any kind of data is a public security hazard. The companies that are most likely to leak data should also pay the biggest part of the cleanup-bill.* So far the GDPR concentrates on [fines](https://gdpr-info.eu/art-83-gdpr/) instead of taxes. I am not well versed in the discourse around these two options. But maybe it's not even that important whether this is a fine or a tax. The juice is in how it is calculated: The fines in the GDPR can be high and they are also supposed to consider the "number of data subjects affected and the level of damage suffered by them". But I want something more specific. I want something like this: ``` tax = base value * number of unique datasets * sum of sensitivity for each field * number of natural people with access ``` This would explicitly incentivize corporations to keep datasets small, throw away historic data, avoid highly sensitive fields, and restrict the pool of users. Also note that looking at *unique* datasets would encourage a high k-anonymity, something that the GDPR doesn't even consider. There are clearly still a lot of details that need to be worked out. I also have no clue how much administrative work this would cause. But it is an idea. ## Conclusion GDPR is great, but it could be better. It especially suffers from a lack of enforcement of its principles. Maybe a tax could help with that.