The General Data Protection Regulation: What You Need to Know
If you been following the news, particularly the Facebook scandal, you’ll have caught wind of something called the GDPR, which is set to start protecting EU citizens’ data from May onward. We decided to delve into this bit of EU legislation and give you our take on the General Data Protection Regulation, to give it its full name, and to see how it might change the world.
The EU GDPR will come into effect on May 25, 2018 and will affect basically every single business that keeps the data of customers in the EU — which these days means pretty much every business, period.
This means that the GDPR is also going to have a global impact, simply because many, if not all, corporations are already doing business in the EU and will likely roll out any necessary changes to international customers if only to save themselves a world of trouble.
A set of laws first thought up in Germany will thus affect people from the United States all the way to Australia (look at the map from East to West to get the most out of that figure of speech). Not to everyone’s satisfaction, of course, but on the whole, the CommQueR.com editorial team is coming down in favor of the GDPR: sure, it’s bulky, but it gets the job done.
Though the Facebook scandal is the first to truly get the blood flowing among people, the fact is it’s only the latest in a massive string of privacy breaches over the last two decades. That’s leaving aside the almost systematic way in which companies around the world, often in collusion with government, have been using the data of you and me to make obscene amounts of money, our rights be damned.
As you can see, if you expected us to get off our digital soapbox for this one, consider yourself disappointed. In fact, we stacked another soapbox on top of our regular one just to write this article. It makes for uncomfortable writing, but the pleasure of cheering on one of the first truly strong pieces of privacy-protection legislation makes it worthwhile. Let’s get into the most important parts of the GDPR.
Privacy Then and Now
Currently, the data of EU citizens is safeguarded by a set of rules first put out in 1995. Back then almost nobody used email, the internet was a series of tubes you accessed by using Netscape (many readers will have no idea what we mean, others will have that ugly lighthouse logo pop up in their mind’s eye) and social media was calling your friends to see how they were doing.
We’re not waxing nostalgic here, by the way, the 21st century is awesome.
As you can imagine, though, any rules set out during that time have been caught up by technology; it’s like having the speed limits set for horse-drawn carts apply to public highways now. The EU has from time to time patched holes in the old laws with new addendums, but, much like badly laid plumbing, you can only patch it so many times before you have to replace it altogether.
That replacement is the GDPR, which after much, much debate in Brussels and Strasbourg, was passed on April 14, 2016 — EU laws need to mature, so to speak, for two years before they come into force. Unlike much privacy legislation past and present, the GDPR has teeth: non-compliance will result in either a 20 million euro fine or four percent of annual global revenue, whichever is highest. Ouch.
No wonder then that many businesses are scrambling to get their house in order before the GDPR comes into effect. The rub, of course, is that the GDPR is very far-reaching, meaning that companies that never even thought they might have to worry about the data of their customers are suddenly faced with a host of measures they need to implement.
It’s not exactly fair, but then again, they have the dodgy practices of powerful corporations to thank for their predicament more than the EU. Every once in a while a story will surface where a corporation, company or app was given certain privileged data and then, knowingly and willingly, sold it on to others for whatever reason. A recent example is one where gay dating app Grindr disclosed its users’ HIV status to help “optimize” the service.
Besides willingly and knowingly selling on data, many corporations simply employ shoddy security, as you can read in our piece on cybercrime. Compounding that negligence is, of course, the fact that after such an event many companies don’t want to lose value, so hide the fact that anything happened — like Equifax did. This is why the GDPR makes breach notification a duty, so people know their data is on the market.
Such examples alone could fill up a ten-thousand word article, so let it suffice to say that what makes the Facebook scandal stand out is the scale of the shenanigans as well as the fact that it’s a rare example of the mainstream media picking up a privacy breach. In any case, there are plenty of honest people paying the price for these jokers’ antics, but then again, what else is new?
A Privacy Law with Teeth
So what is it exactly that makes the GDPR so special? Why not simply retool existing privacy laws? The EU is, after all, one of the strictest when it comes to privacy already, so you may be forgiven for wondering what the big deal is.
As is often the case with earth-shattering developments, there’s no catchy single sentence that can capture the nature of the privacy revolution thought up in Brussels. However, since we always like a challenge at the CommQueR.com office, we’re going to give it a shot: the EU is seeking the limits of legislation by enacting a set of rules that govern both the application and scope of privacy-protection laws.
We have to admit we’re fairly pleased with that one.
Moving on from our self-congratulatory laurels, let’s break it down a bit. We already mentioned the absolutely brutal fines companies will face if they’re found in breach of the GDPR. These set the regulations apart from the slap-on-the-wrist approach taken by most legislators. Where in many countries tough-ish laws exist on paper, in reality, there’s no chance selling on data will result in a real punishment.
The four-percent-or-twenty-million rule offers a real deterrent, hopefully, one that savvy lawyers won’t be able to circumvent too easily. Interestingly enough, any time a company breaks the GDPR rules and the data of even a single EU citizen is involved, the company will have to appear before a European judge thanks to a principle called extraterritorial applicability.
This principle is also what has a lot of people fearful for government overreach upset with the GDPR: the EU is giving itself powers over companies outside its jurisdiction simply because they happen to house the data of EU citizens.
We understand these fears, of course, and agree with them to a certain extent: there are plenty of examples of governments not being particularly respectful of citizens’ privacy, from the U.S. Patriot Act to PRISM to the UK’s Snooper’s Charter and the Dutch sleepwet. But these are separate issues, where governments go after suspected terrorists, whether these efforts are misguided or not. The GDPR is about protecting everyone from spying by corporations and marketers.
Fact is, there should be some middle ground between the kind of state control the GDPR proposes and something more laissez-faire in nature. However, the greed of corporations has grown to such heights that they have polarized the possibilities and the only choice left to us is the heavy-handed approach of the EU or the complete madness of, say, the American system of privacy legislation (e.g. you’re on your own).
One of the tactics used by major corporations to dodge all kinds of rules is to simply set up shop out of reach of strict regulations, or at least do so on paper. A good example, though more financial than privacy-related, is the double Irish with a Dutch sandwich which lets Apple and Google, among others, avoid paying their taxes.
Corporations are very powerful and have deep pockets, the only way to make sure they adhere to the rules is some kind of extraterritorial legislation. In the case of privacy, the EU will now provide this for its citizens. As we said earlier, however, it’s going to be hard for anyone to separate that data from everyone else’s, so in a sense the EU has now appointed itself the guardian of everyone’s data.
Right to be Forgotten
So what other characteristics does this guardianship have? Well, the rest of the GDPR is mostly about our rights as people whose data is being held. For one, EU citizens now have to consent to their data being stored and that consent can only be given if they have been adequately informed.
In a way this is the clause that will remove hurdles more than anything, as it will do away with the insane terms and conditions we consumers are presented with every day. Rather than waste time (76 workdays per year according to one publication) reading all the arcane terminology the EU now expects companies to offer clear and legible ones. How exactly that will be judged is unclear, but, hey, it’s better than nothing.
Another mechanism that will improve our consent over the data that’s being kept is the so-called right to access, giving EU citizens the power to request what data is being held by any provider and request it to be deleted using the new “right to erasure,” also known as the right to be forgotten, or move it to another provider using the portability clauses of the GDPR.
This offers a great deal of flexibility to citizens: if you don’t trust a certain provider you can simply decide to no longer store your data with them. Either move it to another or have it destroyed entirely. This will be a comfort to those who worry about a company’s integrity, either when it comes to selling data or security.
Though the limits of the right to be forgotten are a bit vague — currently there is a lawsuit running in the UK that has this exact question on the docket — it works well for people who had pictures or information leaked and want that evidence removed. Though it isn’t perfect, the internet has a long memory and cached files on some dude’s hard drive can’t be erased, it is a great relief for people who need it.
Not that all those people are innocent, now: plenty of dodgy business men and shady politicians have made use of it, too. Though it’s hardly fair that they escape their day in the court of public opinion, free to sucker their next victim, the benefits to the innocent in our opinion weigh up to the damage a few blackguards will do (though in individual cases courts have ignored the right).
Covering Loose Ends
All the above sounds great, but anyone familiar with corporate machinations will know many bits of malfeasance can be covered by claiming technical difficulties or other practical, hard-to-prove issues. The GDPR legislation is aiming to get around this by implementing privacy by design, a concept that holds systems need to be built with the privacy of people’s data in mind first and foremost.
This sounds nice and vague, because how do you prove someone’s intentions? Article 23 of the GDPR states the following: “The controller shall … implement appropriate technical and organisational measures … in an effective way … in order to meet the requirements of this Regulation and protect the rights of data subjects.” That doesn’t really clear it up much, we admit, but that’s where the next interesting change comes into play.
The GDPR also requires certain companies — ones handling sensitive data, basically, so not every single mom and pop store with a database — to assign a Data Protection Officer whose job is basically making sure people’s bits and bytes are safe. It also makes life a little easier for large companies as they can have their DPOs handle all the reporting paperwork, rather than have to deal with each of the governments of where they are based.
Final Thoughts
And there you have it: our thoughts on the General Data Protection Regulation. Though the legislation is far from perfect and comes with a lot of paperwork, the way the world is now, it seems that we either suffer with over regulation or have our data be used as yet another commodity by greedy businessmen and shady cyber criminals.
We hope this article cleared things up a bit as well as informed you of why the GDPR is a good thing. Though our perspective is a little colored, we do feel that on balance this new set of rules will prove beneficial in the end.
If you want to know more about staying safe online, check out our online privacy guide. If you want to share your opinion on the GDPR, feel free to do so in the comments below. Either way, thank you for reading and stay safe.
Fergus is the former chief editor and resident curmudgeon of CommQueR.com. Though he no longer steers the team, he's stuck around to write investigations and news stories (and to annoy newer team members with tall tales). You can contact him at fergus [at] commquer.com if you've got a hot lead; anything else will likely get ignored.