Personal data can be as dangerous as guns and drugs.
Last updated: 21 September 2023
About GDPR compliance.
The law is the law
You may not have, copy, duplicate, transport or sell illegally recorded films. Even though the laws are slightly different in different countries and continents: illegally obtained copyrighted media are prohibited. Whatever you think of these rules yourself: the law is the law.
But suppose you make an agreement with a party that you will store and process illegal feature films in another country anyway. You sign a contract that you will abide by all kinds of treaties and not make the films public.
What do you think the legislator in such a country will think about such a private contract? They would laugh at you and take you to court. Because the law is the law, and it always takes precedence over what you agree privately.
That would be something if you mutually agreed that guns are fine in the office. Or drugs. Or other illegal activities. And then think you can get away with it. ‘Yes, but our contract says it’s allowed.’ Haha.
Personal data protection
The EU rightly restricts what companies can do with personal data. Personal data can be your name, birth date, gender, address, social security number, passport number, or bank account and can also be other identifiers such as your phone number or your IP-address.
Parties are not allowed to collect, process, share, sell or feed data about you to an AI unrestrainedly. You are supposed to know and be able to prevent and block that.
You may be thinking: ah personal data, what difference does it make? Well, you never know how someone might use your own data against you. Making debts in your name, or persecuting you because of your religion, sexuality or opinion. Or unknowingly influence your buying or voting habits.
Personal data is dangerous, a personal story
I experienced hidden books in the attic falling on my foot as a 4-year-old boy, as my dad was breaking away a ceiling. These books were hidden in our house during World War II. They were books about the city’s Jewish community, containing all the names and addresses of its members. The data was collected with all good intentions, and the Rabbi who had lived in our house in those years prevented the data from then being turned against the people by a terrible occupying fascist force. In those days it was about some books that you could easily hide. Now petabytes of personal data fly around the world in a millisecond, stored on unknown servers. How do you keep a grip on that?
(This story became the foreword in an important bestseller book about privacy called ‘You do have something to hide’ by Maurits Martijn and Dimitri Tokmetzis.)
As dangerous as guns and drugs
Personal data can become a weapon against you, your family, your reputation, your property, against freedoms, against democracy and against the rule of law. Personal data is thus much more important to protect than feature film rights, more of the same level of weapons and drugs, in terms of impact, danger, and subversion.
Data protection law
In the EU there is a personal data protection law, called the GDPR, or AVG, or DSGVO. It basically states, among other things, that you always have the right to block, determine and know who is doing what with your personal data, so you are in control and are protected.
The EU GDPR law also says that personal data must not end up in countries that do not offer this level of protection. You rightly think of countries like Russia and China that are prohibited. But did you know that the U.S. is also on the list of those questionable countries?
After all, the revenue model of big tech companies like Microsoft, Google and Meta (Facebook, Instagram) is data. Personal data allows them to sell targeted ads, for example. Did you know that they also use this data to train AIs to become even more influential and bigger?
US law reaches into the EU
Now you will think: let those companies just store your data in the EU, then all is fine. Unfortunately. In the US, there is the CLOUD Act, a law that stretches very far. That law demands access to all data of all US companies, even if those companies have subsidiaries in the EU, even if their servers are located in the EU. In effect, the US is imposing its law right into the EU, and that is quite to your detriment regardless of the legal notable situation.
The EU and the US have repeatedly tried to find solutions to this, for example with treaties that allow these companies to store data in the US, subject to restrictions.
Twice already, such a treaty has been thrown out by the European Court (the highest judicial authority): it does not sufficiently safeguard the rights of EU citizens and is therefore too dangerous. The third treaty is also already under legal challenge and, according to specialist legal experts, the treaty does not stand a chance.
Private contracts fail
The big tech companies obviously fear that they cannot continue their trade, so they – and companies that buy services from them – come up with all kinds of rather desperate ways to continue their illegal practices. For example, they claim that standard contractual clauses provide sufficient protection because they promise not to hand over any data.
Of course, those contracts don’t hold up. Because the law is the law: if the U.S. wants access to data, they will enforce it, regardless of what you agree among yourselves. The law is always stronger.
The serious solution to protect your data is for the US CLOUD Act to be amended and for there to be a law in the US with similar protection in the EU. But that is never going to happen: this data is the core business of the big tech companies, and the US intelligence agencies are also fond of your personal data.
So the impasse remains. US law will not be changed, the EU is rightly sticking to its rules, and treaties do not hold. Don’t believe it when parties make such promises!
Do you still want to make sure you comply with European law? Then make sure you work with a European supplier, using European infrastructure, a party that has no U.S. ties: no U.S. suppliers, no U.S. parent. Not even if there is a European company in between. Not even if an American company stores your data in the EU.
Hopefully, it has now become a little clearer to you why personal data is so important to protect. It’s about protecting yourself, your customers, your viewers. You risk fines, and you risk being excluded from tenders.
And finally: protect yourself. Your data contains very interesting information about your customers, your viewers, your format, your programming, your revenue model, and your advertisers. Will you risk any longer that you can be competed with your own data?
Jet-Stream is 100% GDPR compliant. We don’t say that, the auditor hired by EDPS, the European Data Protection Supervisor says that. We take data protection seriously, we are European and have our own European infrastructure. Contact us for more information.
We created this easy checklist. Is your vendor GDPR compliant?