This month I was honoured to speak at Smashing Conference Freiburg in Germany, where I closed out the event with a talk about developing privacy-conscious projects. You can view the slides here, and the video is here.
The Smashing team were outstanding and spared no effort for speakers, which is a very useful thing when railworks turn your trip into a saga involving two buses, three airports, two flights, three trains, and a rail replacement bus. I never expected that my 25 year old high school German would get so much, uh, creative use on a single day, but there you go.
Freiburg was a bittersweet trip for me, coming as it did with the very strong feeling that this was it – my last trip to Europe as a member of the EU and the freedom of movement that came with it. I felt like it was the end of a journey that began unexpectedly in Seville four years ago. Whether that’s a definitive end or a pause for reflection is beyond my ability to answer. (As it happened, I was in Brussels a month later…)
The big announcement
At the end of my talk I was finally able to reveal my big news. Vitaly and the fabulous team at Smashing Magazine – who read my post on teaching the legal side of web development, and most definitely got the hint – have commissioned me to write a book on privacy for web professionals.
We’re fairly certain that this will be the first ever book on privacy theory and practice, both as a concept and as a legal principle, written specifically for web developers, UX designers, and digital project managers – at least the first book written by one of their own, from the viewpoints they understand, in the language they need, and at a price they can afford.
The book will be edited by Rachel Andrew, and will also enjoy Rian Kinney’s laser oversight as its legal editor. It will be available as an ebook and as a physical book as well. Smashing’s printed books are truly gorgeous and leave no detail overlooked, so I do hope you go for both versions!
All going well with the writing, editing, and illustrating process, we hope to ship the book in late spring 2020, around the time when everyone will (we hope) need to begin preparing for the ePrivacy Regulation revamp.
Writing a book is something I have always wanted to do and I’m grateful for Smashing for having faith in me to do it.
The conference used a collaborative document to take audience questions, but we only had time to answer a few. I’ve now had time to go back and answer the rest to the best of my ability.
Q. Wouldn’t it make more sense to integrate privacy regulation into browsers instead of forcing website developers to take care of it (millions of websites vs. dozens of browsers)?
A: To me this would certainly be a more sensible solution. This idea was included in earlier drafts of the European privacy reform, but those proposals were then taken out. Why? Because browser manufacturers show up to political processes, and developers don’t.
Q. How can we deal with the fact that hackers are sometimes very very clever – often cleverer than us? We can have taken all available precautions, but they get through anyway and access personal data. Data security absolutely cannot be 100% guaranteed (except by disconnecting from the web)
A: We’re only ever going to be one step ahead of those who would misuse the data we hold, so data minimisation is key. Don’t collect data you don’t need and don’t provide data you don’t really have to hand over. Delete data you shouldn’t have, and remind the people (such as third parties) you work with not to pass you data you should not be holding either. Here’s some more advice.
Q. I do not use Facebook and Whatsapp, because of privacy concerns. Unfortunately the complete mobile phone‘s address book of any user using Whatsapp is submitted completely to them. So in fact I lose my personal data indirectly as soon as anybody who uses Whatsapp, enters my data into the phone‘s address book. When are Facebook and Whatsapp forced to stop this usage that is obviously against current GDPR law?
A: There are current investigations by data protection regulators into these practices.
Q. Is privacy possible as long as the web is dominated by US companies (Google, Facebook etc.)?
A. The problem there is not so much the fact that the companies are American, but that policymakers view those dominant US companies as the web. Much of the draft European and UK legislation I deal with in my policy role is crafted to punish those larger American companies – with no regard for the smaller domestic companies, and the ones which do respect privacy, which will be caught up in their wake.
As I often say, if you legislate the web as if only Facebook and Google exist, the result will be that only Facebook and Google will exist. So it’s really important for privacy-hostile tech giants to recognise that their lack of respect for privacy threatens innovation across the board; it is equally important for development communities to show up and represent themselves to policymakers, and explain to them that we are not all Facebook. They really do think we are.
Q. Do you think that GDPR and ePrivacy should have excluded small or non-profit websites? Do they stifle creativity by treating indivuals and small teams like multi-national corporations?
A. It was absolutely right for small businesses and nonprofits to be included. A five-person app studio can cause as much damage as a multinational corporation through poor privacy practices; for that matter, nonprofits have been guilty of some absolutely unforgivable data breaches and privacy violations against the people they claim to serve. At the end of the day, “we’re just a small business” or “but we’re a charity” are not valid excuses. If you’re going to turn up to play the game, you’ve got to follow the rules.
Q. Isn’t the main frustration from developers not to do with cultural differences in our understanding of privacy, but from the total lack of practical guidance on how to comply with GDPR? We are not lawyers, we don’t need vague commandments to be clarified by test cases in court once someone has accidentally done something wrong. We need a simple checklist – if you do these things, you are safe.
A. Data protection regulators are definitely getting better at providing guidance and advice, but they have a long way to go. I’ve done my best to provide simple guidance, but I can only reach one reader at a time.
It’s important to remember that Europe isn’t the US – we don’t do “test cases in court”, unless you’re Facebook. We have a system of cooperative work through data protection regulators which prevents 99% of all issues from going anywhere near a courtroom. So don’t ever think that a lack of headlines about courtrooms, judges, and fines means that privacy is not in fact being enforced.
Q. If you’re prepared for GDPR, what do you need to adjust for CCPA?
A. Rian Kinney gave a talk about this at WordCamp US.
Q. Most businesses are built on using data, so how will the world change?
A. I don’t think innovation is threatened in the slightest if business models built around breaking the law are no longer allowed to run without consequence. If you’re being both morally responsible and legally compliant with data, you have nothing to worry about.
Q. How has privacy improved by training users to rapidly click away any button with something like “accept cookies” on it?
A. It has not, and that failure is largely our fault: we failed to represent ourselves in the processes which shaped the way that particular law was written, and we failed to create a privacy-friendly UX language for meaningful user consent. It’s never too late to change that.
Q. Speaking of a universal privacy: If America has a different attitude towards privacy culturally shouldn’t that attitude be respected (also in regard of internationalization)? Of course we have a strong ethical opinion from our point of view, but their view should be regarded as equally valid, shouldn’t it be?
A. They are welcome to uphold their values in the commerce they conduct within their own borders. But if you show up at my house, you follow my house rules. That’s how privacy works too.