Quotation-as-title by George Sand. Image from top-linked post.
The EU is certainly coming out swinging against Big Tech this year. Or at least it thinks it is. Yesterday, the European Parliament voted in favour of three proposals, outlined by the EFF’s indefatigable Cory Doctorow as:
1. Article 13: the Copyright Filters. All but the smallest platforms will have to defensively adopt copyright filters that examine everything you post and censor anything judged to be a copyright infringement.
2. Article 11: Linking to the news using more than one word from the article is prohibited unless you’re using a service that bought a license from the news site you want to link to. News sites can charge anything they want for the right to quote them or refuse to sell altogether, effectively giving them the right to choose who can criticise them. Member states are permitted, but not required, to create exceptions and limitations to reduce the harm done by this new right.
3. Article 12a: No posting your own photos or videos of sports matches. Only the “organisers” of sports matches will have the right to publicly post any kind of record of the match. No posting your selfies, or short videos of exciting plays. You are the audience, your job is to sit where you’re told, passively watch the game and go home.
Music Week pointed out that Article 13 is particularly problematic for artists:
While the Copyright Directive covers a raft of digital issues, a sticking point within the music industry had been the adoption of Article 13 which seeks to put the responsibility on online platforms to police copyright in advance of posting user generated content on their services, either by restricting posts or by obtaining full licenses for copyrighted material.
The proof of the pudding, as The Verge points out, will be in the interpretation and implementation by EU member states:
However, those backing these provisions say the arguments above are the result of scaremongering by big US tech companies, eager to keep control of the web’s biggest platforms. They point to existing laws and amendments to the directive as proof it won’t be abused in this way. These include exemptions for sites like GitHub and Wikipedia from Article 13, and exceptions to the “link tax” that allow for the sharing of mere hyperlinks and “individual words” describing articles without constraint.
I can’t help but think this is a ham-fisted way of dealing with a non-problem. As Doctorow also states, part of the issue here is the assumption that competition in a free market is at the core of creativity. I’d argue that’s untrue, that culture is built by respectfully appropriating and building on the work of others. These proposals, as they currently stand (and as I currently understand them) actively undermine internet culture.
As a small business owner and co-op founder, GDPR applies to me as much as everyone else. It’s a massive ballache, but I support the philosophy behind what it’s trying to achieve.
After four years of deliberation, the General Data Protection Regulation (GDPR) was officially adopted by the European Union in 2016. The regulation gave companies a two-year runway to get compliant, which is theoretically plenty of time to get shipshape. The reality is messier. Like term papers and tax returns, there are people who get it done early, and then there’s the rest of us.
I’m definitely in “the rest of us” camp, meaning that, over the last week or so, my wife and I have spent time figuring stuff out. The main thing is getting things in order so that you’ve got a process in place. Different things are going to affect different organisations, well, differently.
But perhaps the GDPR requirement that has everyone tearing their hair out the most is the data subject access request. EU residents have the right to request access to review personal information gathered by companies. Those users — called “data subjects” in GDPR parlance — can ask for their information to be deleted, to be corrected if it’s incorrect, and even get delivered to them in a portable form. But that data might be on five different servers and in god knows how many formats. (This is assuming the company even knows that the data exists in the first place.) A big part of becoming GDPR compliant is setting up internal infrastructures so that these requests can be responded to.
A data subject access request isn’t going to affect our size of business very much. If someone does make a request, we’ve got a list of places from which to manually export the data. That’s obviously not a viable option for larger enterprises, who need to automate.
To be fair, GDPR as a whole is a bit complicated. Alison Cool, a professor of anthropology and information science at the University of Colorado, Boulder, writes in The New York Times that the law is “staggeringly complex” and practically incomprehensible to the people who are trying to comply with it. Scientists and data managers she spoke to “doubted that absolute compliance was even possible.”
To my mind, GDPR is like an much more far-reaching version of the Freedom of Information Act that came into force in the year 2000. That changed the nature of what citizens could expect from public bodies. I hope that the GDPR similarly changes what we all can expect from organisations who process our personal data.
Source: The Verge
However, I have to say I’m impressed with what’s going to happen in May. It’s going to have a worldwide impact, too — as this article explains:
For an even shorter tl;dr the [European Commission’s] theory is that consumer trust is essential to fostering growth in the digital economy. And it thinks trust can be won by giving users of digital services more information and greater control over how their data is used. Which is — frankly speaking — a pretty refreshing idea when you consider the clandestine data brokering that pervades the tech industry. Mass surveillance isn’t just something governments do.
It’s a big deal:
[GDPR is] set to apply across the 28-Member State bloc as of May 25, 2018. That means EU countries are busy transposing it into national law via their own legislative updates (such as the UK’s new Data Protection Bill — yes, despite the fact the country is currently in the process of (br)exiting the EU, the government has nonetheless committed to implementing the regulation because it needs to keep EU-UK data flowing freely in the post-brexit future. Which gives an early indication of the pulling power of GDPR.
…and unlike other regulations, actually has some teeth:
The maximum fine that organizations can be hit with for the most serious infringements of the regulation is 4% of their global annual turnover (or €20M, whichever is greater). Though data protection agencies will of course be able to impose smaller fines too. And, indeed, there’s a tiered system of fines — with a lower level of penalties of up to 2% of global turnover (or €10M
I’m having conversations about it wherever I go, from my work at Moodle (an company headquartered in Australia) to the local Scouts.