So, What’s All This Buzz About Privacy Laws?
We’ve already talked about this: unlike any other person inhabiting the planet before the advent of internet, you have the dubious privilege to live simultaneously both actually and virtually. There are folders on your actual desk at work, but also on your desktop computer; there are a TV, a camera, a bin and a library in your room, but also amid the folders and applications on your laptop. Nothing wrong, right? Our lives have merely expanded, the physical limitations have been theoretically eliminated: I can have millions of epubs and pdfs on my computer, but only few hundred books in my library.
But, it gets a bit weirder from thereon: you have an ID and a bank account in your real life, but you have few IDs and bank accounts on your computer as well; you have friends you see once in a while in person, but many more you chat with via Skype, some of which you will never even meet; you may even be married in your real life, but have a different partner you share your most intimate desires with on Facebook or some dating site.
And this is where it gets really frightening: as time went by, our virtual life seems to have taken over our real life. When was the last time someone asked you for a printed portfolio, instead of a LinkedIn account? Would you prefer handing out a report to your boss written on a sheet of paper, or send him a Microsoft Word or Google Docs file? Does it really count if you’re in an actual relationship if your Facebook status claims otherwise?
But, wait a minute! How would you feel if you know that someone you don’t really know has a copy of your key, can walk into your room whenever he/she wants, can check both your bank account info and journals on a whim, and can even share some of your documents and photos with a third person if that person is strong enough to force him or crafty enough to steal them?
Well, that’s exactly how your second life, your virtual life, the one on which you’re spending most of your time, looks every single minute. Even this present moment is no exception: have you ever wondered how many people know that you’re reading exactly this text at exactly this hour? Would you feel comfortable if you turn your head and see few people staring at your monitor unblinkingly?
And it seems that, even though somewhat belatedly, neither would the lawmakers.
It may be the rise of cyber criminals and few very popular leaks that finally ticked them off, but, nevertheless, few years ago, Europe’s lawmakers decided to overhaul the existing data protection laws. Back then, the term “Brexit” wasn’t even invented yet, and, probably, if it hadn’t happened, we would have talked about a law instead of laws, about General Data Protection Regulation (GDPR) instead of GDPR and Data Protection Bill (DPB).
But, Brexit did happen and Britain had to find a way to implement Europe’s data protection law, even if in a circuitous manner. So, in a way, DPB is a truncated version of GDPR, intended for the United Kingdom only. Being designed to align with the GDPR, it is UK’s way to by-pass Brexit and put GDPR into practice on British soil.
But, what is GDPR?
By definition, GDPR, or Regulation 2016/679, is a regulation on the protection of people’s privacies with regard to the processing and movement of personal data, repealing EU’s 1995 Data Protection Directive 95/46/EC (DPA). Two important things to note already: 1) GDPR is a regulation, not a directive, and 2) as a legislative act, it is not the first of its kind.
The distinction between a regulation and a directive is an important one. Both are primary types of legislative acts in the European Union, but as opposed to a directive which necessitates all EU member states to achieve a particular result without dictating the means of achieving that result, a regulation is a legal act which becomes instantly and simultaneously enforceable as law in all member states of the European Union.
In other words, come 25 May 2018, GDPR will supersede a two-decade old act which is currently in force; being a regulation, it will also institute a single set of rules which will apply to all member states.
In fact, it seems that the text of the old Directive was not as problematic as the fact that it was a directive. And this is exactly how GDPR came to be. According to the 2015 Proposal for GDPR (7):
The objectives and principles of Directive 95/46/EC remain sound, but it has not prevented fragmentation in the way data protection is implemented across the Union, legal uncertainty and a widespread public perception that there are significant risks for the protection of individuals associated notably with online activity. Differences in the level of protection of the rights and freedoms of individuals, notably to the right to the protection of personal data, with regard to the processing of personal data afforded in the Member States may prevent the free flow of personal data throughout the Union. These differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. This difference in levels of protection is due to the existence of differences in the implementation and application of Directive 95/46/EC.
Accordingly, even though there are few major differences between the two legal acts (the definition of personal data, the extent of the law, the size of the penalties, the requirement for positive consents and a compulsory data protection officer), the most fundamental has to be the simplification, the unification, and the centralization of the laws throughout the Union.
To put it into layman’s terms: next year, we’re moving from suggestions to orders, from caretakers to law enforcement agencies, from companies who own your personal data to companies responsible to protect it for you.
Then again, “we” means something different after Brexit. But, no worries – Britain’s got it covered this time. Not that it had a choice, to be honest.
One of the most important aspects of GDPR is its potential global impact. GDPR explicitly states that it applies not only to EU organizations, but also to companies based outside the Union if they collect or process personal data of EU residents. What this essentially means is that the GDPR is, more or less, a worldwide law.
In other words, even if you’re a UK- or a US-based company, you must still be compliant with the GDPR if you promote your services within any of the EU member states. Bearing in mind the fact that UK will be a full member of the EU at least until March 2019, and all EU rights and obligations – including GDPR itself between May 2018 and March 2019 – should remain in force until then, the DPB is a legislative act which guarantees that nothing will change afterwards, insofar data protection is concerned.
Matt Hancock, the British Minister of State for Digital and Culture, acknowledges this in the Foreword to the 7 August 2017 DPB Statement of Intent:
Bringing EU law into our domestic law will ensure that we help to prepare the UK for the future after we have left the EU. The EU General Data Protection Regulation (GDPR) and the Data Protection Law Enforcement Directive (DPLED) have been developed to allow people to be sure they are in control of their personal information while continuing to allow businesses to develop innovative digital services without the chilling effect of over-regulation. Implementation will be done in a way that as far as possible preserves the concepts of the Data Protection Act to ensure that the transition for all is as smooth as possible, while complying with the GDPR and DPLED in full.
Consequently, exegetists have noticed no major differences between the laws, the two most significant being GDPR’s granting an opportunity for privacy groups to make independent complaints on behalf of consumers, an option absent from the UK proposal, which, on the other hand, extends the “right to be forgotten” to include the obligation of social media companies to delete all data a person has shared before 18 if so requested by the concerned individual.
Which brings us to the more important part of the equation: the similarities.
Will This Have Any Tangible Effect on My Life?
The objective of both GDPR and DPB is exactly the same: to address the ongoing issue of internet privacy, by giving the control back to the citizens over their personal data and by forcing organizations and companies to comply with new demands on data safety.
In order to do this, few modifications and improved legislative mechanisms are put to use.
Redefinition of Personal Data
In addition to the regulatory unification, the most important change introduced by GDPR is probably the redefinition of what “personal data” means. As opposed to the old DPA, according to which personal data encompasses a person’s name, photo, email address, phone number, address, and any personal identification number, the GPRS states that
Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address. – European Commission – Press release, 25 January 2012
The change simplifies things for users, but complicates them for companies. For example, under the GPRS (Article 22), no company is allowed to use your browsing and purchase history to profile your preferences and advertise fitting products in the future accordingly.
That is, unless you want to.
Consent to Use Data
This is another vital upgrade: from 2018 onwards, instead of opting out of pre-ticked consents, you will be granted an opportunity to opt in – if that seems to you like a better idea. Because under the GDPR, marketing consent must meet three conditions:
- To be unambiguous – meaning, it should be both straightforward and written in an age appropriate plain language
- To be time-limited – meaning, if you agree to something in the future,
- To ask for a specific permission – meaning, you will need to tick a box to agree to something, instead of looking for it to withdraw.
So, that means that three things should become a thing of the past: 1) inhumanely long and appallingly written user agreements (read by absolutely nobody); 2) small lettered notifications which merely inform you that, by clicking next, you agree to the terms and conditions you don’t really know; and 3) greyed out boxes asking you to tick them if you don’t wish to receive offers and promotions.
Citizens 2. Corporations 0.
Right to Explanation and Erasure
The latter is probably what you’ll hear about the most, even though, in a way, it has been put into practice in the EU and Argentina since 2006 (just search for “right to be forgotten”); the former is most likely the thing you’ll hear the least about, even though it may grant you the most power.
The right to erasure is self-explanatory: under the GDPR, any individual has the right to request removal of all personal data on a number of grounds. The right to explanation is something a bit different: it gives any citizen an option to question decisions that affect him or her and that are made on a purely algorithmic basis.
This is connected with the redefinition of personal data and the opt-out consent to use it. Because in addition to Article 22.1 claiming that
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Article 13.2f states furthermore that the Data Controller shall provide the data subject with
the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
So, if you’re a pilot who has been detained at airports on 80 different occasions because you are repeatedly confused with an IRA leader or a black beauty pageant contestant discriminated by AI, you will have the right to ask for a clarification as to why that has happened; in the absence of it, the algorithm-using data controller/processor may be susceptible to sanctions.
Even though this sounds pretty straightforward on paper, it is more than controversial. It has been dubbed “a harmful restriction on Artificial Intelligence” and a possible “new kind of ”˜transparency fallacy’”. Some even claim that none of the known limitations of AI are as severe as the ones imposed by these new laws, which may cause the field of AI to devolve significantly even within the next decade. And this just at the moment when we started to reap its benefits!
However, it has also been claimed that the issue has been blown out of proportions, and that, in fact, “there are several reasons to doubt both the legal existence and the feasibility of such a right”.
We’ll just wait and see who’s right about this one.
Article 20 is pretty straightforward; its consequences – not that much.
The right to data portability gives users the opportunity to freely acquire and reuse their personal data across different services. For example, a bank must not withhold your personal information if you want to transfer to a different bank and move all your information there.
However, it also means that you can transfer data from anywhere – to anywhere. Yes, that includes social media. We’ll let you think about the potential significance of this and get back to the problem in the conclusion.
Privacy by Design
Privacy by Design and Default leaves no room for companies to stall implementing GDPR. It states that all systems and processes must comply with GDPR at all phases, from the inception to the final stages. This means that after GDPR and DPB are applied, no business (irrelevant if existing or formed afterwards) will be granted the privilege of an excuse.
Organizations will be required to appoint a Data Protection Officer (DPO) – though, smaller organizations may decide on a Team DPO – who should make sure that the said organization complies with the GDPR. By itself, this is nothing new, but the 1995 DPA didn’t make the appointment of DPO compulsory, and 62% of the EU member states didn’t really put much effort to remedy this.
Lesson learned: they will not have that option anymore.
In the future, data controllers will have no more than three days (72 hours) to inform individuals and the Supervisory Authority (established by each member state to investigate complaints and sanction offences) about a possible data breach when it is “likely to result in a high risk to the rights and freedoms of individuals.”
The time period is significantly shorter than any other legalized anywhere before. In fact, most organizations are not even aware that a personal data breach has happened in the first 72 hours.
That’s the point, however, since, more than concentrating on the regulation of a company’s actions succeeding a data breach, GDPR puts the burden of prevention and avoidance on data controllers and data processors, so that such things may occur as rare as possible.
Even though Information Commissioner Elizabeth Denham dispels the notion of routinely handed fines as the biggest GDPR myth, it’s a fact that, under the new law, companies could pay much bigger fines than the half million limit allowed under DPA. Much, much bigger About 40 times, in fact.
The new limit (Article 83): 20 million euros or 4% of a company’s global turnover (whichever is higher). This would be the penalty for violations such as processing data without an appropriate consent, or failing to comply with privacy by design.
Lacking appropriate documentation, or failing to notify the supervisory authority in 72 hours could result in lesser fines. Well, so to say – if you consider 10 million euros or 2% of global turnover a lesser fine.
Controversies and Conclusions
GDPR and its UK variant, DPB, seem to be all but a spot-on response by Europe’s lawmakers to a recent Eurobarometer survey, according to which two-thirds of European citizens are worried about having no control over the information they provide online, with little more than half believing that it is of utmost importance that the rights and protections of personal information should be unified across countries.
By redefining what personal data means (to include everything from IP addresses to DNA), by forcing companies to ask explicitly and unequivocally for consents, and by giving the right to users to ask for removal of all of their personal data or even explanations over how AI algorithms use it – GDPR and DPB aim to give citizens much more power than ever before. Then, what’s the problem?
According to most of the industry leaders – there’s none. On the contrary, many of them agree that the legislative acts are not only well-thought-out, but long overdue. There’s one group, however, which may disagree. And we’re not talking about anyone. We’re talking about WhatsApp, Facebook, Google You know, the heavyweights.
It’s time we make our humble contribution to the thought experiment we left you with when we explained what data portability means.
You may have already realized its attention-grabbing implication: if I can freely transfer my personal data from Facebook to another website (before completely deleting it from Facebook), wouldn’t that pave the way for an imaginary – for lack of a better free name – XYZBook, a new company/website which could theoretically hijack all Facebook users within months, or even weeks?
Under GDPR, Facebook will not own your personal data as it does presently; and people are naturally inclined to the new. If XYZBook finds a way to attract important people (by, say, investing money or offering some new functionalities), and they transfer their personal info from Facebook to XYZBook, how long do you think will pass before the bandwagon effect results in XYZBook becoming Facebook 2.0, and Facebook – history?
Too SF, you say? Well, for one thing, Facebook is not indifferent. And for another, government laws tend to have such unpredictable effects. Just think of when Microsoft was accused for committing monopolization by bundling Internet Explorer with Microsoft Windows. It was 2001, and few expected that the ruling will have any effect on the browser wars.
But, you’re not reading this on your IE, are you?