Where GDPR went wrong

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
this video was sponsored by curiositystream in partnership with my streaming service nebula remember when on the 25th of may 2018 this is what everybody's inbox around the world felt like gdpr had just become official in the european union and whether you were from the eu or not suddenly every internet service you had ever knowingly or unknowingly signed up for sent you an email saying hey can we still be friends interest in the general data protection regulation of the eu spiked for a few days it was the topic for almost a whole week and then everyone predictably got bored with it and found that in reality the only visible difference gdpr seems to have made to their lives was adding a seemingly never-ending list of cookie banners that barely did anything anyway but is that it is gdpr really just a law that annoys us with cookie banners or did it actually manage to create some positive lasting change well almost three full years have passed since the law actually came into effect so in the 73rd episode of the story behind series let's actually assess its impact and let's for once actually take a closer look at some of those insanely annoying cookie banners [Music] gdpr's original goal was to improve the privacy of eu citizens in three main ways first before collecting any personally identifiable data companies had to clearly explain what they would collect how they would use that data and who they would share it with and they could then typically only go on with the collection if they had received explicit and informed consent for it second once the company collected the data the user could then ask to see export and delete said data and if it was compromised through a data breach the company now had to let the relevant authorities know within 72 hours and third gdpr mandated that the companies and individual eu member states had put the processes and resources in place to actually be able to enforce these new rules including member states establishing dedicated data protection authorities and companies naming dedicated data privacy officers if they were large enough taking responsibility for the practices of their contractors etc all of this was backed by the promise of huge potential fines so companies would actually comply and the nice side effect that at least most would only have to comply with one set of privacy rules for the entire continent going forward not 31 individual ones in other words while gdpr did not outright ban the tracking of users by itself it did at least in theory give people real information real decision making powers and a legal system to turn to if needed making it both surprisingly ambitious and well intentioned but of course intentions are one thing and reality is another thing entirely and since almost three years have passed since gdpr actually came into power we can now take a look at what happened in practice and what didn't so let's do just that perhaps the most obvious success of gdpr is how it impacted data breach warnings last year alone around 120 000 data breaches were reported across the eu according to law firm dla piper while before the introduction of the gdpr those numbers were around 18 to 20 000 reports a year meaning that firms are at least six times as likely to report breaches across the eu now that there are strict rules for it the 72-hour rule also means that there should be no undue delay for reports in the eu unlike how equifax in the us for example took around two full months to notify the authorities of their massive data breach concerning over a hundred million people and finally there are now also clear fines being imposed when breaches were the result of inefficient security measures with at least 122 fines being issued so far including two british airways marriott international a swedish hospital and even public authorities like the bulgarian national revenue agency for example fines are still much smaller than the maximum amount allowed under gdpr but data breach warnings are overall undoubtedly a huge success of gdpr another area of success is the ability for users to view download and delete the data a company has on them places like facebook google and amazon have automated portals that let you download or request a deletion for all of your data for example and while many have rolled this out to non-eu citizens as well you almost certainly have gdpr to thank for that too before gdpr many services simply refuse to delete your data like how i spent over three months and multiple hours of support calls trying to get an apple id deleted without success or how one us-based new york times subscriber recently found out that the publisher simply did not allow him to have his associated email address deleted because screw him that's why eu citizens now very much can and do sue companies who refuse to give them their data and enough of them actually win cases like this hungarian man against google for example so that companies usually do begrudgingly comply with requests eventually and a third success is in general having more information here's a german newspaper called the morgan post for example because of gdpr it now has to show you every single company it could share your data with as well as what they will use it for in this insane list and while yes the average person can't possibly be expected to go through a list like this for every page they visit gdpr does at least help expose some of the ugliest sites of the internet and potentially gives researchers journalists or privacy organizations the tools to highlight which providers do particularly badly and why which finally takes us to consent arguably the area where gdpr had most mixed results in some ways for example around controlling newsletters or marketing communications gdpr did relatively well many services like docusign here for example ask the user to explicitly opt in to receive marketing emails when they sign up if they are from the eu while users in the us for example they don't those probably just get opted in automatically similarly many pages now let you reject cookies and other trackers you would have previously not been able to eject was it not for gdpr but and i am sure you have noticed this already this is where gdpr actually starts to fall apart many pages of course don't really give you a fair and realistic choice even though they pretend that they do and so looking at their cookie banners and consent dialogues actually gives us a pretty good idea of all the weaknesses of gdpr so let's take a closer look at some of these banners and dialogues ranging from some of the best to some of the absolute worst an excellent implementation of the consent banner can unsurprisingly be found on the official websites of the eu the banner itself is small that can be ignored fully without breaking the site's functionality rejecting it is as easy as accepting it and unless you specifically accept it the only cookie that gets dropped on your browser is just a technical one that stores whether you have javascript enabled on your browser or not cookies like this which do not collect any personal information do not have to be consented to so dropping it is fine and all other trackers the eu has are clearly explained in their policy and seem pretty reasonable too so this page is very gdpr compliant one step below that is for example github which doesn't have a banner at all the page does place a bunch of cookies on your browser but these are all what they call quote strictly necessary ones which are used to store your preferences and login info and they only use first party analytics given that they can pretty confidently claim that whatever data they have on you is either quote necessary for the performance of a contract to which you are a party or in their legitimate interests both of which allow them to collect the data without additional consent so this all seems clean and nice and one step below that is the website of my startup crowd again the cookie banner can simply be ignored or temporarily closed without breaking functionality and while permanently rejecting cookies takes one extra step it's still pretty easy to do i'm giving us minus points here because this checkbox doesn't actually do anything but it's just a standard part of the cookie dialogue tool we got from wix the website maker that we use to build and host our website and it can't be disabled so we just have this silly placeholder disclaimer here now looking at the actual list of cookies and trackers we use this is the one that the consent banner actually saves your choices into when you click accept or reject these are functional cookies set by wix for security and performance purposes this one is from riddle the company whose tool we use to build and host our weekly tech knowledge quizzes which you will only have to use if you specifically visit the quiz page and finally these are the cookies for google analytics they only drop if you click accept and as we describe in our cookies policy we only use the most bare bones version of google analytics possible so we can see what users do on our page without us being able to personally identify or retarget anyone but now let's move on to the shady stuff the verge for example does not seem to have an obvious option to reject cookies at all and even though their banner says you can opt out after reading their actual cookie policy all that is written there is how you can disable cookies in your browser in general not exactly a real solution one saving grace here is that you can actually use the page without hitting accept and until then no real tracking stuff gets dropped on you but once you hit it the page reloads and you get about 10 more cookies according to firefox also explicit trackers from twitter facebook google analytics and whoever that is plus you have just agreed to sharing your data with all of these companies and have theoretically agreed to all of their privacy policies too most other major media publishers have similarly shady content policies too for example here's morgan post from germany again it loads trackers from facebook google analytics google's ad network doubleclick and the amazon ad network before you even agree to anything and if you click on settings you get treated with this beauty which first of all is just an amazing list and not only was the option to save these changes on purpose designed to look like it's not clickable you might not have realized that you are just in list one of three and if you click on list all there is plenty of stuff you can't turn off like piano software inc for example which is used solely for marketing purposes according to their own statement and somehow counts as legitimate interests and can't be opted out of so even if you went through all of this you still can't disable tracking via the banner or take instagram for example say i want to learn more nope this doesn't tell me anything interesting so let me check the cookie policy and i literally have to accept all tracking to even read what is in their policy and what they will track great and personally my most hated implementation is that found on techcrunch engadget or any other publication owned by verizon media for that matter click on options and you'll see this incredible page showing that by default you would have given access to all of your data to parent company verizon media and also google including all of their ad partners as well as any member of the iab or the interactive advertising bureau which is basically an association for pretty much all major advertisers and ad networks online in other words basically everyone cool and once you opt out of those and disable legitimate interests which again many of them claim to have despite being purely advertising based you then have to manually go to twitter's page disable tracking there go back to techcrunch then manually visit facebook's page accepted them cookies so you can read their damn policy and find out that jokes are new there actually isn't a way to opt out of anything you've just been tricked and by the way in the case of techcrunch it's also essentially impossible to download or delete any data they have on you i have spent about two hours looking through their never ending privacy policy maze trying to do either and eventually i just gave up i mean their policy clearly says that you can download and delete data so i'm sure it's technically somehow true but after doing about 30 captchas i ended up on this page which half the time didn't work for me at all i could not find a delete or download button anywhere and even if i did they would have already sent my data to like 800 other partners anyway so what's the point of deleting it from their servers anymore and verizon media as far as i can tell has been sued exactly zero times under gdpr which is just amazing and also kind of highlights the three major problems that i have with gdpr first under gdpr the people collecting your data are also the people who are designing the consent forms for that collection and it's kind of like telling criminals to design their own prisons even if you instruct them not to leave the doors open they probably will just leave all the doors open contrast that with how apple recently designed an ios system prompt third-party app makers have to use if they want to track users across other apps and you'll instantly see how their design is way less ambiguous than the one verizon media designed for itself it's just a simple standard yes no question versus this monstrosity second while users can kind of conceptualize the tech giant such as google facebook apple amazon and so on and can sort of be expected to reasonably deal with these tech giants there is no way in hell the average user is going to understand the complicated mess that is these faceless publishing giants and programmatic ad networks this is just outside of the normal person's world completely i mean the average person reading an engadget article has absolutely no idea that they are actually on a page run by verizon or that that company is combining their engadget reading data with their tech crunch history their personal information from their verizon contract and the contents of their yahoo emails and search history and is shipping all of that off to an ad network who then ships it off to another ad network who then ships it off to another ad network and so on most publishers like verizon media or future plc who runs like a million blogs you probably read as well and especially the ad networks are quiet faceless and intentionally confusing giants so the consumer doesn't even know who they have to be angry at unlike with google or facebook and third advertisers have of course also found the perfect loophole out of gdpr completely in the form of legitimate interest see asking for your consent is actually only one of six potential reasons companies can legally process your personal data under gdpr and while the other four are fairly mundane the sixth one here is quote legitimate interests pursued by the controller or by a third party and this is ripe for abuse what exactly is a legitimate interest well that's exactly the trillion dollar question all the companies are kind of testing the limits of the british information commissioner's office says companies can use legitimate interest whenever they process people's data in ways that they would reasonably expect or where there is a compelling justification of the processing and then it also goes on to state that commercial interests can count as legitimate too which is pretty damn vague if you ask me and you might also wonder what commercial interests count as compelling justification for data processing without even asking for consent under the law morganpost seemingly argues that most of their ad network companies don't have legitimate interest in tracking you but piano software inc and a few others do for some reason and so you can't opt out from those verizon media group argues that pretty much all of their iab partners have legitimate interests to track you but they are probably too scared to actually enforce that in practice so they let you technically opt out of those which if you think about it makes absolutely no sense they're either processing your data based on consent or legitimate interest you can't consent to legitimate interest that makes no sense but anyway facebook in their wild policy goes furthest and claims that their legitimate interests include quote providing an innovative personalized safe and profitable service and i just want to highlight this they claim providing a profitable service is a legitimate interest under the gdpr just as a reminder legitimate interest allows for the processing of user data without even having any user consent so if facebook is right and operating a profitable service counts as legitimate interest then basically any for-profit ad company would have legitimate interest to process basically any user data without any user consent which would basically be the mother of all loopholes now obviously there is still a lot of debate around legitimate interest and while the european courts have made a few judgments around it the exact premises aren't clear yet however combined with the other two weaknesses such as companies designing their own consent forms and the lack of clarity around publishers and ad networks it is clear to say that the gdpr has not been a complete success it's genuinely great that there is a single law in europe that data breaches are reported more frequently that there is generally much more information and transparency on the internet and that europeans can download or delete their user data from specific services but there is still a lot left to be done and that is where the gdpr stands almost three years after it came into effect i think it is a significant first step into the right direction but clearly there are still many loose ends that need to be tied up and actually most of the eu would probably agree with this statement the gdpr was originally supposed to be followed up with something called the e-privacy regulation which is sort of an extension to the gdpr that could potentially fix many of its flaws or make it worse if you're interested in how that is coming along i've actually put together a couple of minutes about that sort of bonus content that you can watch on nebula links to that are down in the description nebula is of course our very own video streaming service which is privacy respecting ad-free and lets us freely create content like this little bonus episode without having to worry about what it will do to the youtube algorithm it is built and owned by many of the best educational content creators on youtube including real engineering polymatter renee ritchie wendover productions and more it comes with all of our regular content in the case of techalta for example even a day or two early as well as many fantastic originals like this 20-minute deep dive into the origins of the iphone by renee ritchie with appearances from marcus brownlee ijustine john gruber walt massberg and more it is fantastic content and you can get access to all of nebula for free with a subscription to my sponsor curiositystream which itself is less than 15 bucks for an entire year that's like barely more than a dollar a month curiosity stream is of course the premier place on the internet for a high quality professional documentaries from the founder of the discovery channel and they have a huge library of science nature and history content to binge while you are stuck at home i have recently finished watching an episode of catalyst and curiosity stream which took a closer look at the potential of quantum computing and there's a ton of other great content from hosts like david attenborough jane goodall stephen hawking and more so check them out at the link in the description and i'll see you in the next video you
Info
Channel: TechAltar
Views: 167,667
Rating: undefined out of 5
Keywords: GDPR, EU, European Union, General Data Protection Regulation, ePrivacy, regulation, law, privacy, CCPA, cookies, tracking, trackers, google, facebook, social media, rights, data
Id: v_W0wR4AClk
Channel Id: undefined
Length: 20min 38sec (1238 seconds)
Published: Thu Feb 25 2021
Related Videos
Elon's failed attempt to build a "Super App"
TechAltar
471K
The Slow Death of Windows
TechAltar
756K
Lenovo is Chinese. Why aren't they sanctioned?
TechAltar
585K
Why everybody is making earbuds
TechAltar
588K
35+ Countries Are Leaving the Global Internet
TechAltar
565K
Why owning an average car costs $650 000+
TechAltar
453K
Why Samsung doesn't sell phones in China
TechAltar
507K
GDPR vs. US Data Privacy Legislations: Which is Proving More Successful and Why
PECB
1.4K
The billionaire behind all your favorite tech
TechAltar
216K
China destroyed its tech giants. Here's why.
TechAltar
1.2M
Why Europe Failed in Tech
CuriousReason
18K
How Apple profits from hurting Facebook
TechAltar
185K
Why brands are abandoning their colors
TechAltar
558K
The Death of Europe's Last Electronics Giant
TechAltar
3.5M
How China finally stopped kids from gaming
TechAltar
370K
There’s Virtually Nothing You Can Do To Protect Your Online Privacy
NBC News
44K
Article 6 GDPR: the 6 legal bases & 9 top tips
Privacy Kitchen
8.4K
EU GDPR summary |What is the GDPR?
IT Governance Ltd
26K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.