In Latin, data means “something given”. The word is sadly extremely well chosen when referring to the information we offer online. The recent changes in EU law show the concern citizens have towards the ever-growing data empire. Considered as the harshest digital law in the world, the GDPR refers to the General Data Protection Regulation. Heavily lobbied all throughout its creation process, it entered into application on the 25th of May 2018. This law is supposed to empower the people who give their data away on the Internet… so basically, everyone.
How did we reach the point of carelessly giving away our privacy?
The very harsh truth is: we are no longer the consumers, we are the products. The Internet appears to be a free service and paying to have access to Google is inconceivable for the majority of us. We are, however, paying for these services with all of the information that we give them – including metadata, which is what our searches say about us -, that they sell to other companies. Advertising is indeed the only business model on the Internet. But why do we let them do those things? Why do we accept using these platforms? In his 2018 “Big Data, Big Responsibilities” speech, Jeff Jonas said “Surveillance society is inevitable, irreversible, but more interestingly, it’s irresistible”. Most of us do no read the terms and conditions, and it has actually been proved that those were even incomprehensible to many lawyers. The people who resist the temptation of joining this net either eventually give in or do actually have a profile anyway, which has been created as a result of all the information collected on them through what others have written about them on the web. Jeff Jonas did fall down this slippery slope after his years of resistance and is far from optimistic about the future. Indeed, he considers it is only the beginning of Big Data.
The 7 main areas of requirement of the GDPR
The European digital law which was adopted in 1995 was the one still in vigour in the EU until 2018, and the need to update it was becoming urgent. Nowadays, every single part of life can be digitalized so making sure that the information which is stored is secured is the least we can ask for.
The GDPR concerns not only companies who have operations in EU countries but also organizations outside the EU who store data of EU citizens. A brief summary of the law’s key aspects:
The first point implemented by the GDPR can be seen as fairly light at first sight: it is obliging the customer to actively show his acceptance of the terms and conditions by at least ticking a box – no more already-checked terms and conditions for the companies to make the user get faster to the service! Data security is also at the heart of the GDPR: the companies have to show that they can keep the data safe. If the data is hacked, the companies are obliged to notify their users in less than 72 hours. The companies also have to provide the right to access to the data they processed about a customer if he or she asks to see it, and this leads us to the next major requirement, which is data portability, which allows individuals to obtain and reuse their personal data if they wish to do so. Professionally qualified officers also have to be appointed, and it may even come as a surprise that there were no specialists in many companies in such an important area before. Privacy by design is also key: this term refers to privacy being a priority which is part of the product or service offered. Not to forget that from now on, companies will have to justify through a lawful reason that they need to keep the data they collected.
Last but certainly not least, Article 17 is probably the most often to be mentioned: it is about the right to be forgotten. This is a new concept in a world in which “the Internet does not forget” as it often said.
Loopholes in this seemingly panic-creating law
Is this law too vague despite all the critics it has gotten from the United States? There are many flaws that let the behemoths get away indirectly selling people’s data. The most important change in data privacy regulation in 20 years may not be this strong after all…
The law defines personal data as “any information relating to an identified or identifiable natural person”. Therefore, if the information is not directly linked to an individual, it can be sold without any problem. The different information can be put together afterwards to suppose who it is about.
The thing which scares companies the most is the “20 million euros or 4% of the global turnover, whichever is heavier to bear” fines which are imposed. 4% may sound very little, but on the scale of the Internet giants, it can equivalate to billions of euros.
This leaves the US salty, as they see it as a protectionist measure which was given birth to by the EU’s jealousy of not having any digital giant – and a bit confused as well at the sight of all of the subscription confirmation e-mails they suddenly received when the law was passed. However, what the US needs to understand is the fact that privacy is seen very differently in Europe. It is, after all, a right defined in the European Charter of Human Rights. In the United States however, privacy is regulated by sector: in other words, there are different rules in each area.
Cambridge Analytica helped Trump trump Hillary Clinton
To help their image, some of the big platforms decided to implement the changes brought by the GDPR all across the world. This may say a lot about the dirty laundry they are trying to hide under the carpet. Cambridge Analytica’s whistleblower, Christopher Wylie, did describe the company he belonged to as a “full service propaganda machine”. He exposed the data marketing firm created in 2014 for harvesting a huge number of Facebook profiles through a special app which gave them access to a tremendous amount if information. Of course, the company denied working with Facebook data, when it had actually been founded on using it. It became particularly problematic with the 2016 US election, when it took the Facebook data, identified target voter groups and designed targeted messages to influence their opinions, becoming a full player for Trump’s Administration.
Data can be extremely dangerous when it falls into the wrong hands. The GDPR is seen as the strictest law in digital law… but is it enough against the ginormous game of surveillance and trade made with personal information we are so used to give freely?