Europe's new privacy law, the General Data Protection Regulation (GDPR), will become effective on 25 May 2018. It's a date a lot of organisations are dreading, as they need to get their IT systems in order. A less talked about subject is the impact of the law on users, who get additional rights. This article explores what it means for users and discusses the effects on your life.
{!The GDPR}[If you want to know more than is provided in this article, you can browse the full legal text at GDPR-info.eu or check out an explainer in normal text at whatisgdpr.eu] is meant as a new privacy law spanning the whole of the European Union, aimed at providing up-to-date regulations for organisations that use personal data. It replaces the 1995 Data Protection Directive, which doesn't provide the necessary tools for the changed digital landscape.
Even though the law only affects citizens of the EU, it'll still have a rippling effect throughout the world. Any organisation that handles personal data from EU citizens, no matter where it's based, will have to comply with the GDPR, which means that a lot of standardised products will be changed for everyone. In this article, I'll focus on the privacy aspects of the law.
User Consent
The GDPR follows the underlying philosophy that users are ultimately responsible for their own personal data. They choose whom to share it with and under what conditions it's done. If you don't agree with an organisation's use of your data, you can choose not to use their services, with the exemption of parties that have a legal decree to gather such data (e.g. the government).
This is all categorised under consent. Whenever an organisation wants to process your data for reasons other than {!a lawful one}[Aside from legal obligations, this also includes processing required to uphold contracts. Individual nations may have slight variations on what’s considered lawful processing.], they require your explicit consent. With this, the burden of proof for consent lies at the data processor. Any party processing your personal data must be able to show that they have the right to do so.
The GDPR gives several conditions for consent. The first is that this must be presented so that it's clearly distinguishable from other purposes, which means different checkboxes for agreeing to the terms and conditions and the newsletter for example. Any unclear form of consent is considered not binding, meaning that they have no legal right to process your personal data. Users also have the right to withdraw their consent at any time without specifying a reason.
These definitions silence a whole debate around consent. For a long time, organisations worked with implicit consent, as using their services meant that you were okay with what they did with your data even if it wasn't clear what exactly that entails. A quick look at last year shows that this wasn't the case before, where I found cases such as Google scanning Gmail contents to deliver targeted advertisements.
User Rights
To adhere to the philosophy of the user in control, there are certain tools a user must have to get that control. That way, you can guarantee that the processing of your personal data only happens with your consent.
The right of access
One of the most impactful rights for user is the right of access, also called the right to be informed. It gives you the right to know exactly what happens with your data. You should be informed about what data is being collected, but also on what your data is used for and who it's shared with. You have the right to be informed about how, why and where your data is being used. This leads to more transparency, allowing you to make better choices about whether or not you want to use a service.
The right of rectification
The GDPR also grants the right to have any data corrected at any time if it appears inaccurate or incomplete. If you requested access and see that your age is incorrect, you can tell the organisation that it's incorrect. This extends to government services as well, where I can say from personal experiences that it would be much easier to call on a right than to jump through hoops communicating with multiple parties that you're really {!living somewhere else}[When I was moving, a known bug happened in a local government system and my change of address was not processed. It caused me some major headaches, because at the time I wouldn’t receive my student loan unless I was registered at an address.].
The right of erasure
The right of erasure, also called the right to be forgotten, means that you can request an organisation to remove all data they have on you, even if you previously gave consent for its collection. This right already exists and first came into major publicity when the European courts forced Google in 2014 to {!comply with removal requests}[A Spanish man wanted Google to remove search results for two foreclosure notices from 1998. The man had paid his debts and the historical article reflected negatively on his current situation. As the purpose of the notices was to attract buyers to the auction and had since fulfilled his purpose, so the courts ruled that they could be removed. The full article and surrounding discussion on The Guardian].
It's not a right without controversy, as free speech advocates say that it may limit free information. While a valid point, {!leaked data from Google}[Data was leaked on 220.000 individual request to remove data. 95.6% of requests were of a personal nature and 48% of these were granted. In categories such as public figures and crimes, the approval rates were much lower. Full breakdown in The Guardian] in 2015 shows that 95% of these requests came from individuals that wanted personally identifiable information removed from search results. In the grand scheme of things, it means that this right certainly has its merits. Edge cases exist of public figures and criminals wanting to see unfavourable requests removed, but these are a small minority.
The right of restriction
You can request certain limitations on the access to your data. For example, you can allow your email provider to collect your personal data but deny them from sharing it with their advertising product (as Gmail did up until 2017). This ties in directly with the new rules for consent, where they need your explicit consent to process data for every different reason.
The right of portability
A major upset in the GDPR is the right of portability. Because digital services are each designed in their own way, it can be difficult to leave a service and take your business elsewhere. The right to portability guarantees you can do this. It requires organisations to deliver your data in a machine-readable format. This can then be imported to another service that understands that data.
The right of objection
The right to object means that you can object to the processing of your personal data for several reasons. This includes the right to object against profiling, something that advertisers do to present you with personalised advertisements, as discussed in The uncomfortable business model of the internet. Data processors must then comply and stop processing your data unless they can show a substantial legitimate reason for doing so.
The GDPR also differentiates automated decision-making, giving you the right not to be subject to a decision solely based on automated processing unless explicit consent is given.
Infringement on your rights
The GDPR aims to protect you when your rights are infringed upon. Infringements can happen internally and externally. External infringements are incidents where an organisation is presumably not at fault. This concerns things like a security breach. When that happens, the organisation is required to inform you of the data breach and leave contact details which you can use to get more information regarding the breach.
If the infringements on your right is internal, meaning that the organisation is at fault, you have the right to complain to any of the parties involved in the data processing. This also includes things like their handling of a security breach. An organisation must deal with the complaint within three months, otherwise you can take the case to court. For any party outside of the EU, this means that they can be sued inside of the EU, making the case fall under European laws.
And here comes the kicker: companies who breach your rights and thus fail to comply face penalties of up to 20 million euros or 4% of their global annual turnover of the preceding year, whichever is higher. In addition, users are granted free legal advice from {!}Your Europe Advice}[Your Europe Advice is an EU advice service for the public, aimed at informing and explaining EU rights to citizens and businesses. More on their webpage].
Before you take an organisation to court, it's advised to deposit the case at the supervisory authority. Each member state of the EU must have a public authority tasked with monitoring the application of the regulation to protect the above rights.
A different design philosophy
Because we aren't done yet, the GDPR also requires organisations to adopt a new design philosophy in their products. This is embedded in four fundamentals: privacy by design and default, and security by design and default.
Privacy by design is about designing services in a way so that the amount of personal data used is minimised. It requires the designers to think about privacy from the get-go. They have to assume that protecting a user's privacy is the default operating mode of the service. Right now, privacy is often tacked on as a late concern and thus not incorporated in products from the start, often leaving many holes in a privacy-aware product. Privacy by default lies in extension of this, meaning that no personal data should be processed without explicit user consent.
Respecting privacy must be considered integral to the innovation process.— U.S. Federal Trade Commissioner Edith Ramirez
Security by design lines out a set of principles that a service must follow for it to be secure. It requires organisations not only to implement basic security measures, but also explain why they do so. Security by default is once again an extension on this principle. I won't go into it too much, as it's not the focus of this article.
Impact on the digital landscape
The GDPR is still fresh and not yet effective. As the date of 25 May comes closer, organisations start communicating the changes they're making to their services to comply (under the guise of caring for your privacy). While the full effects have yet to be seen, we can make some educated guesses at what will change for users. It's also impossible to predict how much of an impact this will have on users outside of the European Union, but I assume that many services will implement these changes for their worldwide audience.
Transparency
The foremost change is the increased transparency under the GDPR. If an organisation processes your personal data, it's required to inform you to what extent they do so. They also need your explicit consent for every way in which they plan to use your data, meaning that they must explain precisely what they do before you agree.
It's a well-known fact that most users don't read privacy policies and terms of service. By having you explicitly check a box for each purpose an organisation has with your data, you will be more aware of the way in which your data is being processed. This makes it much easier to make an informed choice when deciding whether you want to use a service.
For those more willing to read and spend energy, the user rights provide a great set of tools that allow you to get a good insight in how your personal data is being used and what has been collected.
Better Privacy Controls
As organisations mature in their compliance with the GDPR, I foresee an increase in the available privacy controls. Many organisations don't allow for the automated deletion of data right now. Think of that webshop that has your address and sends you a folder out of the blue. If by logging in you could tell them to delete your data, you could just end the service. It beats the laborious process of sending an email and explaining yourself by a mile.
I expect similar features for other rights. Facebook is a good example in this. They allow you to delete your account and to download your personal data. While I wouldn't argue for Facebook being a privacy supporting company, such functions are great to have and I'm glad they're there.
Privacy Activism
The GDPR is the realisation of the dreamed-of box of tools for privacy activists. With these rights, they can figure out much more of what a company does with its data and even threaten to take them to court.
This aside, it also helps those trying to make the digital world a better place for everyone by informing organisations of potential violations. This goes from reporting potential data leaks to starting a conversation of how personal data is being processed.
If you don't like it, object or leave
With the user rights, you have much more control over your personal data. With the right to object, you can speak up against the abuse of your data under the threat of hefty fines. By doing so, you have the power to force organisations to comply with the law or face the consequences.
And if the company hesitates too much or you don't like the way they interpret privacy, the right to portability is a great way to tell them to get lost. You can get your personal data and take your business elsewhere. Sure, you may lose some functionalities, but you're no longer stuck to a certain platform because you have a history there.
Object against automated decision-making
The GDPR includes a provision on the right not to be automatically judged and profiled, meaning that it requires human intervention if so desired. This allows people who face negative consequences because of automated decision making to object. Some cases where this happens are especially sad, such as people getting bad credit ratings because somehow they get someone else's information linked to them.
Sign away your privacy or leave
A potential for negative backlash can be found in the possibility that organisations require you to consent to a whole host of privacy-invading terms for existing services. By choosing the easy way out, an organisation could make you consent to signing away your privacy or lock your account. I doubt that this will happen too much, as it reflects poorly on any organisation doing so. It remains to be seen though.
Closing Thoughts
With the GDPR less than 2 months away, it's time to start looking at what it will mean for consumers. I've already been making an inventory of companies I want to request my data from the day the law goes into effect, but by all signs I'm in the minority. Although I predict that most users will never actively use these rights, having them at all may just make the digital world a more privacy-friendly place.
Overall, I'm hopeful for the promises that come with the GDPR. Organisations are truly starting to sweat and the EU, which has previously shown that they're not scared to take Google and Facebook to court, is a big enough threat to force them to comply. Personally, I can't wait until May 25.