🇬🇧How Does The GDPR Protect John Smith When He Surfs The Web?
What Is The Use Of The GDPR In Practice?
This brief reflection derives on the one hand from the practical and daily use of the Web, from fixed and mobile and, on the other hand, from divesting the shoes of the amateur (in the meaning of the term well defined by Nassim Nicholas Taleb in different times and contexts) with an interest in digital rights to play the role of a normal user.
I deal with GDPR because this is what we have to deal with here in Europe: similar legislation, in form and consequences, is present in other parts of the world, for example in California with a model that is progressively expanding in most of the U.S.; I limit my remarks only to the context of ‘coockies web tracking’: this is for brevity, because it is very evident and because everything else presents a situation, as I will mention at the end, much worse.
Therefore for some time now John Smith opens (roughly) any site and, as a consequence of the GDPR, finds himself with a popup that, depending on the type of device:
- occupies from 1/5 to 4/5 of the screen;
- asks for consent so that the site he is visiting traces, via cookies, the behavior and characteristics of navigation within the site itself;
- in alternative to the consent, the popup can be closed or it closes itself (continuing the navigation) or it indicates the possible management of the tracing coockies.
If you have time to waste you can go into the management. In this case the proposed solutions are different and usually they belong to the following list:
- choice of coockies for which you accept that your navigation is subject to tracking;
- list of data-brokers to which you choose to entrust the tracking of your navigation;
- a life-story containing the privacy policy of the site with final acceptance;
- combination of the above.
Of course there are specific apps (CMP, Consent Management Platforms) that provide site managers with the entire technical framework so that what is required by the GDPR is implemented and optimized with minimal expense in the code of the site itself.
I’m a ‘privacy-lazy’ and since I’m on the web 80% for work needs, and I surf for 70% of my working day and 30% of my non-working day, popups are just a nuisance for me and I close them all, immediately and as fast as I can.
I adopt this behavior because the time I dedicate to surfing is finalized to my work, and/or to my pleasure, not to reiterate choices related to my digital privacy: with a governance like the one in place or I do one or the other.
Since I don’t seem to be the only one who can be profiled as a ‘privacy-lazy’, I’d like to know what is the point, in everyday reality, of a rule that, in order to efficiently protect myself (in the use of a service) from behaviors that I consider harmful to me, I must dedicate to its application a time at least equal to the use of the service itself (if not more).
Attention: I am not questioning the rule itself but, rather, its practical application.
Let’s suppose to have an amount of time to throw away such to allow me to move to the category of ‘privacy-observant’. So for each site I visit, I diligently fill out my privacy preferences, as well as make myself aware of and accept the various policies. I would like to know who checks that my preferences are respected by those who manage the site. The authorities in charge, at least in Italy, no and it does not seem to me that in other countries it goes better: no one has the technical means (let alone a quantity of personnel) to carry out checks, not even by sampling.
Someone else has thought about the control, even summary, and the results can be read here. So, to be observant, the wasted time would be double: the time of doing and the uselessness of the same.
Attention: event this time I am not questioning the rule in its theoretical construct, but the part necessary for it to be respected, namely the controls.
Let’s move on. Cookies are not the only tracking methodologies: very common and widely used, as literature teaches, are also browser fingerprints and pixels in emails. I’d like to know how the GDPR allows my preferences to be protected against these two types of tracking. In this case the question is not to be lazy or to be observant because the legislation does not provide anything about it and the two systems can be, in theory and in practice, used by the managers of the sites without any limitation and without any control.
Attention: also in this case the normative structure is unharmed, except for the fact that it is outdated, inefficient, in front of the technological reality that it should regulate, therefore useless.
In truth, I am a pseudo-privacy-lazy. I adopt technologies for the navigation that (I hope) at least partially protect me from the ‘havoc without consequences’ that the current legislation allows to make of my preferences and personal data while using the net. However, these technologies, which are available to all:
- are not applicable by everyone, if only because of knowledge of the problems they attempt to remedy;
- they limit the navigation in Internet, in how much they are known also to those against which they are created that, obviously, they put in action such countermeasures to annul them, through the not usufruibilità of their sites and services;
- are in most cases the result of private non-profit initiatives, dedicated to the protection, even in practice, of digital rights with the consequent budget limits for research and development.
As a corollary, the citizen, the user, is forced to defend himself because the state is not able to do so.
The problem is therefore that, on the one hand, there are the ‘thinking heads’ who have created a regulation, certainly important in its content, which in fact is not applicable or applied. The excellent principles to which it refers, and the equally excellent aims, have immediately proved useless in the face of the technology in existence (and which had to be regulated) and its progress. The lack of adaptive flexibility to innovation is doing the rest.
The ‘thinking-heads’, and above all the small cohort of their followers, have the curious tendency to self-referencing (in social networks, in conferences, in academies, in governmental and supra-governmental bodies) that triggers a perverse spiral based exclusively on principles that, both for ignorance and/or convenience, screws them more and more on themselves and distances them permanently from everyday life lived by people.
On the other side there are the data-brokers who are laughing (and counting the money) and the common users, whose digital privacy continues not to exist, now also with the blessing of GDPR.
The worst, yet to come but close to debut, will concern AI (artificial intelligence) regulation: the assumptions, the heads, the methodology and the cohorts are always the same.
This is an English adaptation of a neuronal Italian/English AI translation by DeepL.
