Privacy by directive: It's coming up

European GDPR will be in full effect in less than two months now. Last time I wrote about it things were still a bit messy, but since then things have gotten clearer. To me, at least.

In the mean time, following discussion on the "other side of the pond" has been quite interesting. Huge majority of people writing about this on the US side appears to be thinking that this will essentially kill any and every business opportunity in Europe.

In the same time people (I don't claim that they are the same people, but I am sure that there is some amount of overlap) complain about newest privacy issues with Facebook and other companies whose entire business strategy is to grab as much Personally Identifiable Information as possible and to sell that to highest bidder any- and everyone willing to pay. Newest headline being that Facebook has absolutely no intent of granting the rights granted by GDPR to users in Europe to people anywhere else in the world. In other words, users everywhere else in the world are still screwed.

Take infamous "shadow profiles" for example (I won't provide a link; you can search for that yourself if you haven't heard of them already.) Or companies' refusal to remove personal data. This kind of behavior is exactly what GDPR was made to get rid of! GDPR makes entire practice of collecting this kind of "shadow information" explicitly illegal, although that line is kinda blurry. Knowing an IP address (or random cookie id) visited, say, toyshop.com? Might be fine. But more and more information you accumulate there, the more illegal status gets are information gets more explicit, until there is no way one can deny it - it's Personally Identifiable Information. Thus it is always better not to collect that "anonymous" information at all. User wins again!

After doing some reading, I found out that there isn't actually that much we have to do to get compliant ourselves. It certainly helps that parts of our business where this is applicable are already services where we keep customers' data for them. Meaning that insidious data collection, analysis and sales has never even been part of our business plan, so filling the gaps wasn't really that difficult. Not all of our GDPR-related updated are out yet, though, but the hardest parts are already done.

I don't get the people complaining how GDPR will ruin the internet. To me, it's completely the opposite - we're (well, at least we the Europeans) getting the control back! But of course, if your business is based on shady practices, I certainly am not surprised if users' access to their own information hurts the operations and therefore bottom line.

Meanwhile, we, the good people, are adapting for things to come, with smile on our faces.
("good" may not be best word here, but I can't think of better one right now, so that has to do)