THE SMALL PRINT THAT COULD BRING DOWN BIG PREY

​Posted By Simon Montford on January 11, 2017

Towards the end of last year I gave a talk about the Internet of Things (IoT), at the Technology and Cybercrime Conference organised by the Law Society of Scotland. I referred to the General Data Protection Regulation (GDPR), which led to me being asked to write this piece for The Times. I should state I’m not an expert in the vagaries of data protection; if your organisation utilises data owned by third parties I strongly suggest you seek legal advice. This article (PDF) first appeared on 10 November in The Times LegalScot supplement (PDF). 

Europe’s new data protection regulation has the potential to do serious damage. The GDPR is a European Commission initiative that aims to strengthen and unify data protection on behalf of EU citizens. Adopted in April, it will take effect on 25 May 2018, replacing the Data Protection Directive of 1995. Unlike an EU directive, it doesn’t require any enabling legislation, and apparently comprises over 200 pages of small print. Highlights include the “right to be forgotten”, data breach notification and accountability, and data portability.  

Penalties for infringement will be severe, bordering on draconian, and it will be trained on organisations that do not conform adequately. Any entity is game, including academic institutions, charities, startups, and family-owned businesses. It has the potential to do some serious damage!  

With all guns blazing, it has the firepower to bring down even the largest of prey, because penalties could be as high as €20m, or 2% of global turnover, whichever is the higher. To put that into perspective the maximum fine in the UK under current legislation is £500k. Had the GDPR been in force when TalkTalk was hacked, they would have been hit with a fine of tens of millions. Had it been Google, the tech giant would have been forced to hand over around $30bn! Furthermore, breaches will need to be reported within 72 hours, or a fine may be levied of up to €20m, and that’s not all. Those affected may be allowed to sue for compensation, so if the fines and lawsuits don’t prove fatal, the reputational damage almost certainly will. If you’re thinking of setting up a division or subsidiary to shield your organisation from liability, forget about it. The EU can go after any and all “connected parties”.  

Think about that for a moment. Hackers with a gripe could destroy an organisation with a single hack. Another reason I believe the GDPR is ill conceived is that it won’t prevent cybercriminals from stealing, exploiting and generally misusing our data, and I doubt it will be capable of clipping the wings of tech titans like Facebook, Google, and Microsoft who, according to privacy advocates, are running amok with private data belonging to European citizens. According to Věra Jourová, Commissioner for Justice, Consumers and Gender Equality, “citizens and businesses will profit from clear rules that are fit for the digital age, that give strong protection and at the same time create opportunities and encourage innovation.”  

It will mostly scare the bejesus out of startup and medium sized businesses that leverage data to build useful products that delight their customers. In the case of entrepreneurs, it may even prevent them from obtaining growth capital because they may find it difficult to guarantee to investors that they will never fall foul. Most entrepreneurs, business owners, academics and third sector workers are not evil, but they sometimes make mistakes. It is these entities I feel most concern for. Particularly scrappy startups, and high-growth medium sized “gazelles” that need the freedom to move fast and break things.  

One area of the tech industry that’s experiencing incredible growth is Artificial Intelligence (AI). Data is the life-blood of companies operating in this space, because they need it to teach their AI to solve all kinds of highly complex problems faced by humanity mankind, from health and ageing to climate change.  

As for the tech elite, it will probably be business as usual. They have all the necessary resources at their disposal to comply when it suits, but “work” the system when it doesn’t. One of the main reasons companies like those I mentioned will remain unscathed, is we have become so dependent on their products that we will continue to agree to whatever consents are required. EU citizens will continue to do what they always have done, hit the “I Agree” button every time they login, or downloading a new app blindly hoping that Evil Corp will behave responsibly.  

Forgive my cynicism, but like many I’m conflicted. I wish the aforementioned top tier tech companies well. They do behave ethically and responsibility, and like billions of other people, I am a regularly user of products like Gmail, Amazon Prime, and Facebook. Making insane amounts of money from willing participants isn’t a crime, but the power has shifted too far in their favour. Over half the world’s rentable cloud storage is controlled by just four corporations, with Amazon alone commanding more than 30%, and Facebook could be deemed a monopoly.  

Today’s web has become far too centralised, but legislation isn’t the answer. We, the people, must take back control by building a new kind of web where data is reallocated, and redistributed. This will solve many of the issues that currently plague “Web 2.0”. Sir Tim Berners-Lee, inventor of the Web, promised us a decentralised, democratic, consensus-based web, but we got Facebook, Google and Twitter. Take a look at Blockchain, Tor, BitTorrent, MaidSafe, and Ethereum. These are the tools that will become agents of change. The name for this new kind of internet is “Web 3.0”, and it will herald the dawn of a new era. Get ready, because things are about to get very interesting indeed.  

Simon Montford is a London-born entrepreneur who co-founded the first web-based on-line auction platform (icollector.com) as well as one of the UK’s first digital media agencies. After a successful exit, he obtained an MBA and became an entrepreneur in residence in the Artificial Intelligence Institute at Edinburgh University. After several years travelling between Edinburgh and San Francisco, followed by a brief stint in London, he is now back in Scotland working as an IoT consultant.