General Data Protection Regulation (GDPR)

The ideas so good they have to be mandatory

The alternative perspective to GDPR

you haven't heard and seen before

Who am I?

• IT security professional (CISSP) focused in IT security for 20+ years (and 10+ years in my own IT security company Nethemba s.r.o.)
• Digital privacy is the top of my/our company priority (www.chrantesvojesukromie.sk, www.chrantesvesoukromi.cz)
• Believe that we deserve the absolute digital privacy (including protection of all financial transactions)
• Voluntaryist  - all relationships have to be mutually voluntarily - we cannot force adult people to do anything against their will -> GDPR should be considered as a competitive advantage, not as an obligation enforced by state coercion 

What is GDPR?

• The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU)
• The regulation was adopted on 27 April 2016. It becomes enforceable from 25 May 2018
• Not following the regulation may cost you a fine up to 20 000 000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise

Is GDPR bad?

• For sure there are a lot of interesting ideas and concepts in GDPR that can improve the privacy of EU citizens
• But the crucial questions are:
  • Are these security / privacy measures economically effective? Do they make economic sense? 
  • Can we morally afford to externalize all these expensive costs to tax-payers or data subjects/controllers/processors without their consent?
  • Can we morally define the new rights and externalize all costs for their legislation and enforcement to tax-payers?

GDPR increases expenses for everyone

• Imagine the following situation:
  • A low-budget company provides their cheap services or products to customers who prefer the lowest price instead of their privacy
  • Because GDPR is in the EU globally enforced even to small low-budget companies, it will increase their expenses and therefore their final prices. It means their customers who primarily care about the lowest prices (not the privacy) will have the higher prices
  • Is this fair towards these low-budget companies and their customers (who really don't care about privacy)?  

GDPR takes away from people a choice to decide between their privacy and other benefits.

The privacy is for sure important, but cannot be forced to all people especially if many of them are willing to exchange it for some benefits.

Where are our privacy borders?

• A lot of requlations require user data collection and its protection
• Unfortunately the option "No, thank you. I don't want your data" is missing for many data controllers towards their data subjects
• GDPR should encourage people to use anonymous payment cards, anonymous SIM cards,... where there is no such risk associated with deanonymization or information leakage
  • but this is prohibited because of AML (Anti Money Laundering legislation)
  • apparent collision of GDPR with AML
• The government allows us some kind of anonymization, but not too much - despite of GDPR they should be able to monitor our calls or payments (because of "terrorism" or because "taxation frauds)

GDPR  introduces

new "positive" rights

• "Positive rights" - they are not initiated by the mutual contract:
  • Right of access by the data subject
  • Right to erasure / Right to be forgotten 
  • Right to rectification
  • Right to restriction of processing
  • Right to data portability
  • Right to object
• All costs to "positive rights" are externalized to tax-payers (without their consent) and cannot be override by voluntary mutual agreements(!)

Everytime you create a new positive right, you also create an obligation to tax payers to cover all related expenses

Huge GDPR fines

GDPR allows imposing fines for some infringements:

• Up to the higher of 4% of annual worldwide turnover and EUR 20 million. (e.g breach of requirements relating to international transfers or the basic principles for processing, such as conditions for consent)
• Up to the higher of 2% of annual worldwide turnover and EUR 10 millions (e.g. missing encryption, failed obligation to notify the state/customer, missing Data Protection Officer, ..)

The "existential" threat of GDPR fines

• It creates an incentive for international companies to leave the EU especially when their internal expenses for GDPR compliance are too high resulting with the higher risk of GDPR fines for non-compliance
• They still have a duty to protect the EU citizens or pay the fines for ignoring this duty, but outside of the EU it can be technically difficult to enforce any penalties
• The question is - how does the EU want to make impossible for international companies out of the EU to process the online data of the EU customers without enforcing "censorship"? 

Should we expect another Internet censorship of all websites of international companies delivering their products/services to the EU citizens which decide not to follow GDPR rules?

(Yes, this already happened with online gambling companies!)

Breach notifications

• Data controllers must notify most data breaches to the DPA (= the government). This must be done without undue delay and, where feasible, within 72 hours of awareness.
• The question is "Can we really trust the government"?
  • According to the statistics there were a lot of breaches / leaks in the Slovak/Czech governments including the Slovak National Security Authority(!)
  • For many companies which don't trust the government and their ability to protect citizens' data, it may be safer not to report the incidents (and risk the associated fines)
  • Reporting (=revealing this information to the government) may be also a reputational risk for the company (see the recent Uber incident)

Because of the reputational risk and the government's inability to protect sensitive data, many companies may calculate if it makes economic sense to notify the government about potential breaches or not at all.

Encryption always helps

• Enabling encryption in these days is easy for most desktop, smartphones, servers, ....
• It will increase your GDPR compliance
• It will decrease the fines you can get from the DPA (= government)
• In some cases you don't need to notify affected users in case of the breach (but still have the DPA), especially if you really care about your privacy (e.g. use encryption)

Should corporations use Tor/I2P networks & anonymized browsing? 

GDPR "freely and explicit consent" is applied to data subjects only

• GDPR specifies that "Consent must be freely given, specific, informed and unambiguous and EXPLICIT" from all data subjects
• But no one asked data controllers or data processors for their "voluntary and freely consent" with GDPR legislation which is forced to them WITHOUT THEIR CONSENT!

Right to erasure ("right to be forgotten")

• It is another "positive" right where all related costs have to be externalized to tax-payers

• Especially when this can be handled by mutual agreements between data subjects and data controllers / processors

• If some people require "to be forgotten feature" they should prefer more privacy-aware data controllers / processors and pay extra fees for such services (e.g. ProtonMail instead of Gmail)

• It is immoral to provide this right (and externalize all expenses) to all citizens especially if most of them do not care about it

How do you want to enforce the GDPR legislation (especially the right to be forgotten, the right rectification) if the data controllers/providers decide to encrypt their users' data to the public blockchain instead of their local database?

Will the EU ban blockchain for storing any sensitive data?

Right to data portability

• It is another "positive" right where all related costs have to be externalized to tax-payers

• Especially when this can be handled by mutual agreements between data subjects and data controllers / processors

• If some people require the "data portability feature" they should prefer data controllers / processors which provide such services - and of course this can be their competitive advantage - there is no need to provide such right by the government (!)

• It is immoral to provide this right (and externalize all expenses) to all citizens especially if most of them do not care about it

"Privacy by

design and by default"

• "The least privilege" concept (minimization of any stored / process data)

• GDPR encourages "pseudonymization" of personal data:

  • “The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.”

• What about completely stop using bank accounts and switch to truly anonymous cryptocurrencies (e.g. Monero) ?
  • You significantly eliminate the leakage of your sensitive information associated with the risk of bank account's breach :-)

Are truly anonymous cryptocurrencies GDPR friendly? :-)

• Because
  • They anonymize citizens' financial situation
  • Protect against information leakage from the bank account
  • Limit the number of required payments parameters

GDPR "public interest"

• Many sections of GDPR refer to a "public interest"
• But there is no such thing like "public interest"!
  • Ayn Rand: Since there is no such entity as “the public,” since the public is merely a number of individuals, any claimed or implied conflict of “the public interest” with private interests means that the interests of some men are to be sacrificed to the interests and wishes of others. Since the concept is so conveniently undefinable, its use rests only on any given gang’s ability to proclaim that “The public, c’est moi”—and to maintain the claim at the point of a gun.
  • All “public interest” legislation (and any distribution of money taken by force from some men for the unearned benefit of others) comes down ultimately to the grant of an undefined, undefinable, non-objective, arbitrary power to some government officials.

GDPR "unclear" definitions

• GDPR legislation has a lot "large scale" unclear definitions
  • "large amount of data", "large organizations", "large number of affected persons"...
  • "reasonable" care
• Unclear definitions in the legislation always leads to a corruption and an arbitrary interpretation by government officials

GDPR restricts “profiling”

• And gives data subjects significant rights to avoid profiling-based decisions 

• In these day most bigger companies do automatic profiling (e.g. target marketing, price differentiation) including all social networks
• Technically it may be difficult to check if the automated "profiling" is applied (as a tax payer, are you really willing to pay the government officials who will do that?)
• This should not be regulated by the government at all!
• If there are some users who are not OK with automated profiling, they should be willing to pay extra money for such services and the market should provide the solution.

Conclusion

• GDPR is just too complex and too expensive legislation for most companies to follow it properly

• GDPR is vague, therefore expect the GDPR related corruption

• New methods and technologies will appear that helps companies to stay compliant with GDPR as well as to boycott it without possibility to penalize them

• GDPR overrides the end-to-end mutually voluntary contracts between the data subjects and data controllers/processors

• GDPR externalizes all expenses to all tax-payers (the legislation and the legislation enforcement) and data controllers/processors resulting in increase of their expenses in all situations (even when privacy is not the priority of their customers what is not fair)

Thanks!