A pragmatic non-technical view on the GDPR

A pragmatic non-technical view on the GDPR

The 6th of January 2022, the CNIL announced the following:

On December 31,2021, the CNIL fined GOOGLE a total of 150 million euros (90 million euros for GOOGLE LLC and 60 million euros for GOOGLE IRELAND LIMITED) because users of google.fr and youtube.com can't refuse or accept cookies as easily.

A direct consequence of this fine is that Google will likely change its "content dialog" to something more like No/Yes instead of Customize/I agree:

Another consequence, albeit a more mundane one, is that this sparked an interesting conversation on an obscure irc channel, about the usefulness or its lack thereof of the GDPR on the web, from a strictly technical point of view. Since I struggled to correctly articulate my thoughts on the topic there, here is a full blog post instead.

If you've been browsing the web from an European IP address, odds are that you faced an interminable litany of popups and modal asking if you're ok with having your privacy stomped to the ground. Sometimes, it's even worse, like on jeuxvideo.com, asking you to either cough up money, accept the associated ludicrous terms and conditions, or undergo invasive tracking, which is in complete violation of the GDPR.

Maybe this circus made you angry, and maybe you blamed the GDPR for this. If so, your anger was misdirected: you should be angry at websites hoarding data to spy on you. The GDPR doesn't mandate annoying popups everywhere, it does however mandate a:

freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

The horrible popups, associated nagging and dark patterns circus are entirely the websites' fault. There used to be nice technical solutions to the "don't/do track me" signalling problem, like the late Do Not Track header:

• client-side: no need for each website to ask and store one's (absence of) consent
• granular: setting per-site preferences was easy
• simple and standardised: easy to implement and process, both client-side and server-side

But unfortunately, it failed. For a couple of related reasons, in my opinion: it was sometimes enabled by default, so website could just pretend that the user didn't express anything. But more importantly, it didn't really define what it meant, and as such, wasn't enforceable legally: the signalling, whatever it meant, could simply be ignored by everyone, without any consequences.

Interestingly, now that the GDPR and the CCPA are in place and tend to be enforced, having something similar would be nice, like the Global Privacy Control, but unfortunately, its signalling is still unclear and insufficient.

But the GDPR isn't specifically about cookies and tracking on websites: it's about what others can and can not do with your data: an ad blocker won't prevent Grindr from selling/sharing all your data, the GDPR does. And this is what the GDPR is about: systemic social (legal, thus economic and behavioural) changes to shape technical ones, which is much more effective than tackling the problem the other way around.

It doesn't prevent entities from collecting troves of data about their users, it requires them to ask for it, in a crystal clear way, offer means for users to say "no" as easy as it is to say "yes", to explain why they're collecting data, how, for how long they're keeping them, with whom they're sharing it, … with possibly enormous fines if they're not playing by the rules. Most will prefer to take the easy way, and try to avoid collecting PII at all, because it's tedious, risky, and adds friction. I used the term "entities" and not websites, because the GDPR is broader than the web: think about phone apps, behavioural data collection in supermarkets, insurance companies, call centres, … just look at the CNIL's sanctions list, or at GDPRhub to have a glimpse of its reach and effects.

Take a look at the world's favourite's shitshow, the United States of America: there is an horrible patchwork of laws regulating some stuff, but "The data collected by the vast majority of products people use every day isn't regulated. Since there are no federal privacy laws regulating many companies, they’re pretty much free to do what they want with the data, unless a state has its own data privacy law." People don't know that they're tracked, to what extend, for what reason, to whom the data are shared, … nothing, pure bald-eagle unhindered far-west US-style freedom allowing disruptive free-market fuelled innovations like data-mining mental health support hotline records, careless handling of pervasive home recording, elections manipulation, nation-scale PII leaks settlements for peanuts, …

TL;DR the GDPR is an amazing large-scale social solution to a fundamental multiform social problem, that couldn't be solved by technical means alone.