Steemit vs GDPR - Hurdles Ahead
On the 25th of May of this year a new piece of legislation will come into force across the European Union aimed at harmonizing data privacy laws across all member countries.
The General Data Protection Regulation, best known as GDPR, aims at enhancing the protection of every EU citizen regarding how their personal digital data can be processed and transferred across all jurisdictions.
GDPR effectively replaces the Data Protection Directive 95/46/EC which has been considered insufficient for a couple of years.
On the key differences with the older directive is that GDPR will now enforce data privacy regulations for all EU citizens regardless of the physical location of the data controller/processor, even outside the EU:
The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-Eu businesses processing the data of EU citizens will also have to appoint a representative in the EU.
In other words a corporate handling data of EU citizens, even outside the EU, must abide to the GDPR and must appoint an EU representative to answer to EU regulators/courts.
Furthermore GDPR increases possible penalties for non-compliance of up to 4% of the company global turnover for the most serious infringements.
Of significant importance is the fact that data processors will have a maximum of 72 hours to report private data breaches (e.g. hacking attacks) to the regulator before being found in breach of GDPR.
Most people are aware of such large breaches having been kept undisclosed for months at the risk of private data (such as credit card details, social security numbers, etc) being misused without the knowledge of their victims.
In some cases major share holders have been suspected of selling their shares in the knowledge of such data breach without disclosure of such breach to the public.
For an entertaining (but worrying) example of such case I recommend watching John Oliver's reporting of the Equifax scandal.
From a user of digital service point of view, GDPR aims to protect personal data by enforcing (non-exhaustive list):
- the right to know if his/her personal data is being processed or transferred, where and to what purpose.
- the right to erasure. A user can request his/her service provider to permanently delete all references to his/her private data.
- the right to request all personal data in electronic format and transfer it to another service provider. In other words the ownership of the personal data remains with the associated user.
- Data cannot be transferred outside the EU unless the destination jurisdiction provides same or greater levels of protections.
In the wake of the Facebook–Cambridge Analytica data scandal it is clear that the role played by GDPR has taken center stage within the IT industry and in the mind of many Internet users.
Concretely GDPR is forcing all digital service providers servicing EU citizens to put in place new mechanisms to ensure compliance with these stronger data protection rules.
For example, this can be seen in the new terms and conditions submitted to Facebook users in the last few days.
Impact on Steemit
As we all know Steemit is a social network platform based on the Steem blockchain technology.
This yields to the interesting fact that no past transactions on the blockchain (such as user posts) can be altered or even less erased.
Another issue is that blockchains are usually decentralized, such is the case with Steemit. Therefore the "personal data" that the blockchain may carry is not confined to any particular jurisdiction.
The two characteristics above are in direct conflict with regulations such as GDPR and it is therefore not far fetched to think that at some stage in the future blockchain based services such as Steemit could be on a collision course with the law in some parts of the world.
Now of course everyone of us using Steemit appreciate many of the advantages of the platform, not least the fact that it facilitates micro payments for curation and posting rewards.
However we cannot ignore the huge issue that has become the right to data privacy. Simply ignoring the attempts by regulators to enforce more restricting rules on service providers is, in my opinion, not an option.
For all its efforts GDPR will also faces massive challenges in the future, some of which I try to explain below.
Weaknesses of GDPR
One of the main problems of GDPR is that while it aims at protecting users against misuse of their personal digital data, the fact is that it's not entirely clear what personal data actually means.
The GDPR definition of personal data reads as follows:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Source: GDPR Article 4
The problem with the above is that this definition could potentially include a very wide range of information.
Imagine a situation whereby somebody was to request Facebook to erase every reference that could lead to their identity. Just how many posts, links and other contributions would have to be deleted in order for all information related to that single person to be gone from all services provided by the social media provider?
So in practical terms GDPR can be really really hard to implement in full.
Another issue is the technical expertise required for assessing the compliance with GDPR.
We are talking here about possible long arguments in courts between armies of well payed lawyers representing the biggest companies in the world and those representing the regulators.
Cases that could stretch for years and centered on specific technical points.
Finally what comes to mind is the overhead imposed on many organization in ensuring full compliance.
Most companies wouldn't have the means of the major players such as Facebook and GDPR incur a new - potentially significant - cost to them.
What about Ethics?
With all of these points discussed (and many left out) it is easy to forget about the ethical aspects involved in providing a platform where erasure is simply not possible and data doesn't reside in any particular location.
One would feel tempted to point at the existing significant bureaucratic overheads of the EU administration and feel cynical about more regulations imposed on the IT industry.
However we should not forget what is at stake in the world of today.
We live in a world that is more connected than ever before, where people's private life is willingly or unwillingly advertised, where statistics are constantly gathered about who does what, when and how.
Consider the example of targeted advertising.
How does the average user feel about coming face to face with advertisements on some web sites directly related to a Google search executed the day before?
Should we, Steemians, consider the potential ethical issues associated with the misuseS of the Steemit platform?
Should we examine the advantages and disadvantages of using the blockchain for anything else than financial transactions?
Should a social media platform remember absolutely everything?
Good or bad, true or fake, enhancing or damaging?
What if someone was to write defamatory content about somebody else?
What if someone was to post compromising material such as nude photographs, sex texts or simply outright fake accusations?
Imagine somebody accusing somebody else of heinous crimes such as child abuse?
Nothing disappears from the blockchain.
A jury may clear somebody's name, but the blockchain remembers forever.
Any attempt to obfuscate the information only requires some average technical knowledge for that information to be brought back to life.
Most of all, who takes responsibility?
Of course Steemit has many positives as well but isn't it time that we start engaging in a mature debate about the potential issues of the platform we enjoy everyday?
So many articles are posted everyday about how blockchains will solve all of our problems.
From decentralized energy supply, through electronic voting, to paper publication, "blockchain" is the hip word of the day and the cure for all diseases in the mind of many.
No technology is perfect and, in my opinion, so much hype should raise alarm bells rather than blind following.
GDPR itself is not well thought out from a deployment perspective. we cannot bolt the gates after the horses have bolted. there is legal consensus that GDPR cannot be applied on old data. very soon this will shift into the courts for review. the user has to first inform whether a piece of data should be ephemeral, permanent, publicly visible or private. this has to be done at the time of insertion of the data.
GDPR's expectation of the right to erase will be confronted because if you compare this to a bank (safest), they have your personal data and nothing you can so/do will make them delete it. but it is just that they don't allow anyone else to access it.
Coming to steemit, you are right that blockchain implementations by their very definition do not support erasure. since steemit is a closed community by creation, this argument may be solved by a well designed eula.
a content publishing platform always has the right to hoard publications for ever and that is their prerogative. we just have to make sure that every user agrees to it
Thanks for your useful insight.
I'm not sure I would agree with that statement. This may be an issue if the publication refers to identifiable private data.
Of course any old fashioned publisher may be subject to court orders to force them to remove content from public views.
There is no reason to believe that it will be any different for digital content providers, though in practice it's become much harder to enforce.
This is particularly an issue when the content in question is seriously damaging to an individual.