Data Privacy Wars: Will GDPR Turn the Tide?
The recent Facebook-Cambridge Analytica scandal has stirred heated discussions on privacy around the globe. An estimated 87 million people are affected by the data breach. Although the majority of the affected users are in the United States, Facebook published that personal data of over 1 million users in the Philippines, United Kingdom, and Indonesia are also compromised.
On April 11, 2018, Facebook CEO Mark Zuckerberg appeared before the United States Congress to explain himself.
“We didn’t take a broad enough view of our responsibility, and that was a big mistake. It was my mistake, and I’m sorry. I started Facebook, I run it, and I’m responsible for what happens here.” – Mark Zuckerberg
It’s not just Facebook
Facebook may have received most of the media’s attention but it’s not alone on this issue. This year, Under Armour’s MyFitnessPal app also faced a data breach involving 150 million users. The leaked data involved usernames, email addresses, and passwords — on top of other personal information. The data breach occurred in late February 2018.
“If these hackers were able to match these stolen login credentials to the users’ actual fitness data, just imagine what could happen. Having this level of data would allow hackers to know that ‘Mr. Smith’ has a very specific and predictable pattern of behaviour. Fitness trackers don’t only track calories and the number of steps a person walks in a day, it also knows where people are and at what time. For hackers wanting to specifically target a certain person, this data is a gold mine.” – Evgeny Chereshnev, CEO of Blink.Tech
2017 also saw a number of data breaches involving big names such as Uber, Pizza Hut, Yahoo, and Deloitte.
The big data economy
In the 1800s it was the California Gold Rush while in the 1900s, everyone was talking about black gold — oil. And at the opening of the new millennia, all eyes are on tech and the Silicon Valley.
Today, the 21st century has seen the rise of another currency that’s far superior to gold, oil, or software — YOU. As Rob Livingstone, a fellow of the University of Technology puts it:
“We have become the product. We are being productised and sold to anyone. We’re being monetised in essence. We are being mobilised as products with the inducement of the services of we use such as Facebook and Twitter.”
Why are your data so valuable? Well, for starters it gives companies your behaviour patterns: what colour you like, what stores do you usually go to, what websites you visit, etc. Businesses can use this information in a variety of ways — from marketing products to even manipulating your vote.
Is privacy a lost cause?
For years, we have been battling against companies that take our privacy for granted. And many declared that it’s a lost cause.
“Give it up. Every click you make on the web is already being tracked. Right now, Amazon and Google know everything about everything you do, and the ads that pop up are all related to stuff that you have been looking at or you thought about. They already know about you.” – David House, Brocade Communications chairman
Did we really lose the war against data privacy?
General Data Protection Regulation
For the people who ratified the General Data Protection Regulation (GDPR), the answer is a resounding NO.
As Reinis Papulis of KRONBERGS ČUKSTE DERLING points out,
“today’s level of technological development and role of personal data in the provision of various services has made it impossible to ensure the protection of personal data (privacy of individuals) at an adequate level with a legal act that was adopted in the second half of the 90’s.”
This has prompted the EU to overhaul its defences against data breaches. Technology changes fast and data collection is at its peak today. Out of the necessity to protect consumers and uphold data privacy, the General Data Protection Regulation is set to be in full effect beginning May 25, 2018.
As stated in GDPR’s official website:
“The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy.”
What is personal data?
Personal data refers to all forms of information relating to an identifiable natural person. Under the GDPR, opinions are considered as personal data while false or inaccurate information may be counted as one.
Where is GDPR applicable?
The applicability of the previous directive was ambiguous. Under the GDPR, however, the scope is very clear:
“It [GDPR] will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.
The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU.
Non-Eu businesses processing the data of EU citizens will also have to appoint a representative in the EU.”
How to process data legally under GDPR
The legal basis of data processing can be summarised into 6 important points as presented by KRONBERGS ČUKSTE DERLING.
- Consent of the data subject;
- For the performance of the contract;
- For compliance with the legal obligation of the data controller;
- For the protection of vital interests of the data subject or another natural person;
- For public interests;
- For legitimate interests of controller or third party.
The purpose of data processing must be:
- Accurately stated and clear;
Data processing is only allowed within the defined purpose. Although in some cases such as public interests, scientific or historical research, statistics, or archiving, the given data can be processed outside its defined purpose.
The Rights of Your Data Subject
• Identity and contact details of the processor
• Contact details of operator
• Purpose and legal basis of the processing
• Recipients of personal data
• Right to receive a copy of data
• Explanation of logic involved in automated processing
• Period of storage
Rights to require a controller to rectify any errors
• Right to receive a copy of data
• Explanation of logic involved in automated processing
• Period of storage
The controller must delete personal data if its continued processing
Right not to be evaluated in any material sense solely on the basis of the automated processing
Right to transfer personal data between controllers
Every company is obligated to respond to data subject requests within one month, free of charge. A data subject can request twice in a year. Any communications with the data subject must be easily accessible and in layman’s terms.
Achieving GDPR Compliance
“For startups, in a way you right now are in a better position than older entities as you start from a white page and it should be easier for you to ensure compliance with GDPR.
For businesses in general, GDPR compliance should be a matter of focus right now because the 25th of May is practically here and you don’t have much time left to prepare. There will be a lot of checks from the state institutions. It seems that data protection will no longer be on the back burner. So, at least make the minimum required compliance preparations until 25 May and amend them later (but do not be too late).” – Reinis Papulis, Associate, KRONBERGS ČUKSTE DERLING
To ensure compliance with the GDPR, the Legal, IT, and Business must work together. The Legal’s primary role is to understand the regulation, code of conduct, and develop contract addendum for existing relationships.
The IT, on the other hand, is responsible for developing system enhancements and information security. While the Business identifies the required data and its purpose, develops policies, and conducts risk assessments.
Vedicard outlines 7 key steps that are important in your GDPR compliance journey:
- Build internal awareness
- Auditing of the current situation in terms of procedures and compliance with the GDPR
- Identification of GDPR requirements as it relates to the organisation
- Updating existing policies or create new ones.
- Implementing changes in the IT
- Training people
- Monitoring and continuous development.
My company is now GDPR-compliant, what’s next?
Your GDPR journey does not end after you’ve made your business GDPR-compliant. It’s just the beginning. From this moment onwards, you must ensure that every operation is in line with GDPR:
- Legality of data processing.
- Honouring the rights and requests of Data Subjects
- Validation and recording of Third Country data transfers
- Reporting and managing Data Breach Incidents
- Developing new policies and fostering GDPR understanding inside the organisation
- Continuous verification of third-party partners’ data processing activities
Breaking the GDPR
What makes GDPR more powerful than the previous directive is its punishments. In the administrative side, a company will be fined up to 20 million euros or 4% of its worldwide revenue (previous year), whichever is higher.
Criminal and Civil liabilities of illegal personal data processing may cause material damage and data subjects have the right to receive full and effective compensations for damages done.
We can see in Mark Zuckerberg’s senate hearing notes that Facebook is not YET GDPR-compliant. Recognising that people deserve better privacy and protection tools regardless of location, we can speculate that Facebook will eventually implement GDPR in the near future — not just in Europe, but all over the world (*fingers-crossed).
“Right now it is very hard to predict what will happen. GDPR puts very heavy demands on data controllers and data processors, but it also seeks a balance between the privacy of the individuals and interests of the data controllers and data processors. Maybe right now ensuring compliance may seem as an administrative and financial burden, but over time all involved parties will find an effective way how to comply with the requirements of GDPR and this compliance will become standard.
Moreover, GDPR contains a concept of proportionality – businesses with low risk of personal data breaches should not invest the same time and efforts into the compliance routines as high risk businesses.
It should be noted that right now there is no case law and all of our GDPR understanding is based on strictly theoretical assumptions. Judicial consideration will further clarify the implementation of the GDPR.” – Reinis Papulis, Associate, KRONBERGS ČUKSTE DERLING
The battle for data privacy is not lost. And the enforcement of GDPR shows that we can still put up a good fight against companies that treat our personal data as commodities. However, there’s still a long way ahead of us.
“The real issue is that companies, regardless of regulations in the US or in Europe, should be taking a good look at their information management systems and asking what data is being stored, where it is stored, how easy is it to access and whether its true value is being realised. Only then can they be ready to travel the data protection road safely – no matter what twists and turns lie ahead.” – John Culkin, director of Crown Records Management
P.S. If you want to learn more about GDPR, check out this blog post.