Disclaimer: This material has been prepared for informational purposes only, and is not intended to provide, and should not be relied on for legal advice.
If you haven’t been living under a rock, you’ve probably heard of the barrage of allegations that have been leveled against internet heavy hitters Google and Facebook for the misappropriation of user data. An issue probably no better and more infamously exemplified than through Cambridge Analytica expose where the data of at least 87 million Facebook users was secretly harvested and used to subvert public opinion and undermine democracies.
Google and Facebook have been collecting data on you without your explicit consent for years, and their entire business is based on the trade of this data. Though all allegations of using data to destabilize governments and to sell products to people who don’t want them have been levied against third-parties, these tech titans have earned billions of dollars through selling the data they have collected and using it to target advertising.
The new General Data Protection Rules of the European Union or GDPR is one of the most significant reactions that governments have had to the threat of mass data misappropriation. The act, which came into effect on the 25th of May 2018 replaces an existing directive from 1995, which will limit the way that businesses collect, store and export personal data. The essence of the act is to protect an individual’s personal data and to broaden their rights. Let’s first look at the kinds of data these companies collect on you to understand why it is so valuable and potentially dangerous.
So what data do these companies have on you?
Google stores your location (if you have the location tracking feature on) and can generate a complete timeline of where you’ve been from the first day you opened Chrome on your phone. It also knows everything you’ve searched and deleted because it stores your search history across all your devices.
Google has also created an entire targeting avatar of you based on information you have supplied such as your location, gender, age, hobbies, career, interests and income. They build this list from the things you like to search, the apps you use, and your YouTube History, and can fill millions of Word docs and Excel files.
Your favorite social media platform is just as shady; Facebook collects every single message that you have sent or received, all the contacts in your phones, your audio files, your interests based on the things that you’ve “liked” and your location and device details based on data from when you log in.
After this information came to light, data protection champions began really examining how these large companies were leveraging data that had been obtained without their user’s permission to grow their businesses. For example, Google’s former “Design Ethisist” – Tristan Harris has said that “The advertising business model is the thing that forces technology companies to maximize attention. Zuckerberg said on his earnings call that people were spending one or two minutes less on Facebook a day, and that was 50 million hours less per day. They can only do that to a certain extent. They can’t halve the amount of time that people spend on Facebook. That would be way too much. Their stock price is too hinged on a certain amount of usage.”
What does the GPDR outline?
The regulations will affect not only EU citizens themselves but also to all companies that process the personal data of EU citizens as well. The act defines “Personal Data” as “Any information that can be used to identify a person, such as a name, email, photo, IP address, bank details, posts on social networks, medical information, biometric data and sexual orientation.
The GDPR regulations set out three conditions that parties collecting user data must get their users to agree to before they collect their data:
- Businesses must be transparent about why they are collecting the data
- What the collected data is going to be used for
- If the data is being transferred to a third-party, what is the third-party using the data for?
The act assigns users with new rights which means that tech titans can be held responsible for their data breaches. The GDPR sets out a series of new rights for individuals including the right to request for the data that a company has on them by submitting a “data subject request”. The companies in question must then volunteer this information for free, which means that the data must be stored in a method that allows it to be easily retrieved as well.
One of the major shifts is also in the default negative status in approving data contracts. Data collectors are compelled to make users and make users actively elect to allow data to be collected, transferred, and processed by third parties.
The new rights also include the “right to be forgotten”. This means companies must delete someone’s data if they withdraw their consent for it to be held.
What makes this piece of legislation such a game-changer is that it is placing a lot of power in the hands of the public who will now be in control of the data they share with these websites, when, and for how long.
So what does this mean for the future?
Tech titans such as Google and Facebook who have been built on the business model of leveraging data on behalf of third parties, and use this data and these platforms in their marketing and communication efforts will have to change to comply. There would also be repercussions for data processors and controllers because if a person within the EU is using the data processing services of a firm in the US, this firm too would have to be GDPR compliant.
The changes set out by the GDPR will not only effect companies within the EU, but also those who have worldwide reach such as Google and Facebook. In the context of online advertising, this may mean removing all personal data from online advertising – Android has already announced that it will start offering publishers the option of showing non-personalized targeted ads as well as vice versa where users themselves would be able to opt out of interest based ads.
With Facebook, the network has pledged to diligently comply with the GDPR ruling, with CEO Mark Zuckerberg saying “We intend to make all the same controls available everywhere, not just in Europe.” He went on to state however; that the world-wide controls would not be in exactly the same format, saying that they would “need to figure out what makes sense in different markets with different laws in different places. But let me repeat this, we’re going to make all the same controls and settings available everywhere, not just in Europe.”
The changes that are set out under the new law will not merely alter user agreements, but also influence how businesses themselves carry out their activities. For example, any business or data processor can only store the data for as long as the data is relevant to the purpose disclosed to the user at the time of obtaining the data.
Businesses can also go one step further to comply with the rules by carrying out regular list hygiene tests which will ensure that they are not hoarding data obtained from users. Also, if the business is hit by a data breach, under the new rules it has an obligation to inform its users of the same within 72 hours.
It is also advantageous to become as familiar as possible with the GDPR and what rights it is setting out for both users and companies by reading the bill itself at https://www.eugdpr.org/.