Personal Data: Tim Berners-Lee’s Worries & the GDPR

On the occasion of the 28th birthday (some might prefer anniversary) of Tim Berners-Lee submitting his proposal to CERN for what would become the World Wide Web,  he wrote an open letter on how the web has evolved and what must be done to fulfill his vision of an equalizing platform that would benefit all of humanity.

The opening paragraph celebrates that the Web has indeed allowed, Tim Berners-Lee writes, “everyone everywhere to share information, access opportunities and collaborate across geographic and cultural boundaries. In many ways, the web has lived up to this vision, though it has been a recurring battle to keep it open. But over the past 12 months, I’ve become increasingly worried about three new trends, which I believe we must tackle in order for the web to fulfill its true potential as a tool which serves all of humanity.”

The very first of those three new trends worrying Tim Berners-Lee? He writes in bold print and a large font:

 We’ve lost control of our personal data

He goes on to elucidate on this, in great detail:

The current business model for many websites offers free content in exchange for personal data. Many of us agree to this – albeit often by accepting long and confusing terms and conditions documents – but fundamentally we do not mind some information being collected in exchange for free services. But, we’re missing a trick. As our data is then held in proprietary silos, out of sight to us, we lose out on the benefits we could realise if we had direct control over this data, and chose when and with whom to share it. What’s more, we often do not have any way of feeding back to companies what data we’d rather not share – especially with third parties – the T&Cs are all or nothing.”

After this Sir Tim takes off the gloves and goes all out, pulling no punches:

This widespread data collection by companies also has other impacts. Through collaboration with – or coercion of – companies, governments are also increasingly watching our every move online, and passing extreme laws that trample on our rights to privacy. In repressive regimes, it’s easy to see the harm that can be caused – bloggers can be arrested or killed, and political opponents can be monitored. But even in countries where we believe governments have citizens’ best interests at heart, watching everyone, all the time is simply going too far. It creates a chilling effect on free speech and stops the web from being used as a space to explore important topics, like sensitive health issues, sexuality or religion.”

These are the sort of topics and concerns we deal with in our daily practices in PDEC.  Rather than invade and abuse privacy and personal data, PDEC members work within the Personal Data Ecosystem to respect the data, respect the individuals, while at the same time enjoying the opportunities of the emerging Personal Information Economy.

From our PDEC perspective, the two are not mutually exclusive.  That will become more of a reality when the GDPR goes into effect in May of 2018.  From Wikipedia, here is the first paragraph explaining what the GDPR is all about:

“The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.[1] When the GDPR takes effect it will replace the data protection directive (officially Directive 95/46/EC)[2] from 1995. The regulation was adopted on 27 April 2016. It enters into application 25 May 2018 after a two-year transition period and, unlike a directive, it does not require any enabling legislation to be passed by national governments.[3]

The GDPR is not limited to EU countries.  Any business entity anywhere on the globe, of any size, doing business with a company that falls under the GDPR guidelines –meaning processing the data of EU residents– must be in compliance with GDPR regulations. The penalty for these companies who are not in compliance: up to 4% of worldwide turnover.

To those who don’t understand the term, “worldwide turnover,” it is a synonym for total revenues.  Or, more easily stated, the annual sales volume net of all discount and sales taxes.

What does this mean?  Here’s an example: Company X in North America (or South America or Asia) does business with an EU based firm, Company E.  As a part of this business there is exchange of customers’ personal data.  This is done by the Company E in keeping with the GDPR regulatory regimen.  The individuals are kept abreast of their data; they have say-so on how it may be shared.  Company E with the data is obligated to protect it, and to hold those with whom they do business  (Company A, and others) to honor the basis on which they have made the personal data sharing agreement with the individual(s).

This is where it gets tricky.  And, potentially, on a global scale.

If Company X does business with Company A in North or South America or Asia, and Company A does not honor the GDPR regulations, is therefore out of compliance, it is then subject to the EU GDPR penalty.  A penalty up to 4% of the worldwide turnover. There are questions about just how this will be enforced, held to account, and so forth.

But the easier questions are simple: the EU can prevent Company E from doing business with Company X.  And perhaps other companies, as well.  And demand an accounting and audit on a massive scale, which would hamstring Company E’s back office operations, and have probable impact on other areas of operation.

Company A is also falling under scrutiny and other fallout, not the least of which would be other EU firms being loath to do business with them.

All of this is the EU’s initiative to protect Personal Data.  Personal Data is indeed a new asset class.  We at PDEC have been calling attention to the Personal Information Economy for sometime now.  With the EU’s GDPR and other emerging realities, this is more true than ever.

Tim Berners-Lee is right to have his concerns.  But actions of late, no doubt prompted and in response to the actions of nefarious no-goodniks, have resulted in the GDPR and the rise of a governmental respect and acknowledgement of the propriety and value of personal data.

At PDEC we consider this a win-win situation.