What those privacy update emails are all about

If you are anything like me, then over the past few weeks, you probably have received dozens of emails from various companies based all over the world - technology companies, social media websites, airlines, app providers, you name it. You may even not remember when and where you opened an account with them. These emails all have the same starting line: “we have updated our privacy policy.”

Why, all of sudden, do they all have to amend their privacy policies? The answer is the GDPR.

GDPR stands for General Data Protection Regulation, a set of EU regulations which came into effect on May 25.

Unlike its predecessor, the GDPR has three unusual features: extraterritorial power, meaning that any company in any part of the world needs to comply with the GDPR if the company handles personal data of individuals in the EU (such individuals are called “data subjects”); extensive rights given to the data subject and onerous obligations imposed on the company (the “data controller”); and a potential fine up to € 20 million or four percent of global revenue of the date controller.

Little wonder all those companies have to rush out a new privacy policy to ensure they do not fall foul of the GDPR.

I have some strong objections against the GDPR. While there is a need to shore up personal data privacy, the pendulum has swung too far in the other direction, at the expense of business efficiency and innovation. Under the GDPR, the data subject can legally require the data controller to let him know what the personal data is (this is fair), and correct the data if it is incorrect (again, fair enough).

However, the GDPR also gives the data subject a right to erasure. Even if the data subject has previously given consent to the data controller to collect and process his personal data, he or she can withdraw the consent at any time for any reason, and ask the data controller to delete her or his data.

Surely this is unfair. The data controller has properly obtained a free and express consent from the data subject to collect and use the personal data and, in exchange, provided free services or some other form of value. Shouldn’t the data subject be held to her or his side of the bargain? Of course, the data subject should be entitled to withdraw consent if the consent was not freely given or fully informed, or the data controller did not stick to their side of bargain by giving unauthorised access to third parties. But a universal, blanket right to erasure is overkill.

The GDPR will greatly increase businesses’ litigation risks and compliance costs. Leaving aside the numerous uncertainties and ambiguities contained in the GDPR which are bound to give rise to disputes and litigations, it is very possible – even likely – that individuals will use the GDPR as a powerful weapon in disputes which have little to do with privacy grievances. Research shows over 80 percent of privacy cases in New Zealand are mainly related to other disputes between the parties.

The GDPR will also burden businesses with increased costs. Companies will need to upgrade their data storage and processing arrangements, implement new operation policies and procedures, and deal with customers’ requests, such as requests to delete personal data - which is not as simple as just hitting the delete button. To ensure the relevant data is completely erased, you need to override the specific memory space where the data is currently saved.

Another layer of complexity is that, where the personal data has been used for training an artificial intelligence application, the training dataset needs to be restructured if certain data points are to be deleted, and the AI application needs to be retrained. All of which adds to companies’ costs.

Perhaps most worrying, the GDPR could delay or even halt AI developments. Modern AI relies on three things: fast computers, smart algorithms, and data. The first two are easily available: Google, Amazon and Microsoft all offer cloud services which give everybody access to their servers and pre-built AI software. What they cannot provide is data. In fact, many AI researchers today are frustrated by the lack of data. Now, with the GDPR imposing stringent requirements on collecting and sharing data, AI research and developments are likely to suffer as a result.

China’s alternative data privacy path is worth a closer look. Consistent with China’s overall policy on AI development, its new privacy laws are more permissive than the GDPR. Last year, the China State Council released the New Generation AI Development Plan, setting an ambitious goal to become the world leader in AI by 2030. During Mark Zuckerberg’s testimony before the US Congress, he pointed out a balance between privacy and innovation needed to be struck “so that American companies can innovate in those areas, or else we’re going to fall behind Chinese competitors.”

Zuckerburg’s words may carry less weight than they used to, but he has a point. The importance of AI cannot be overstated. Humankind is under serious threat from climate change, and it is painfully clear that we have not been able to find a solution which is acceptable to everyone – we cannot even convince some people that climate change is real. AI, with its rapid developments and tremendous potential, could well be our only hope – OK, maybe not the only hope; we also have Elon Musk. But over-restrictive privacy laws like the GDPR will prevent us from fully exploiting AI’s potential and opportunities –an inconvenient truth we cannot afford.

Newsroom is powered by the generosity of readers like you, who support our mission to produce fearless, independent and provocative journalism.


Newsroom does not allow comments directly on this website. We invite all readers who wish to discuss a story or leave a comment to visit us on Twitter or Facebook. We also welcome your news tips and feedback via email: contact@newsroom.co.nz. Thank you.