Your data, safe at last?
The GDPR email deluge is almost over. Will these new EU rules on how firms
manage our info live up to their promise, asks Douglas Heaven
manage our info live up to their promise, asks Douglas Heaven
DO YOU still want to hear from us? The biggest overhaul in digital rights in more than 20 years is finally here, and it’s creating a wave of spam. Organisations of all stripes from Facebook to the UK
government to that hipster coffee shop on the corner you once gave your email address to – have been filling inboxes with variations on the same question, in anticipation of a European Union regulation that comes into force on 25 May. A central tenet of the new General Data Protection Regulation (GDPR) is that when we give consent for our personal data to be collected on signing up for services – such as social networking, online shopping or marketing emails – it must be given explicitly, not via a pre ticked box. Firms are sending pleading emails asking us to opt in so that business can continue as usual. But it may be for nothing. “It’s all rubbish,” says Lilian Edwards at the University of Strathclyde in Glasgow, UK. Many of these companies already have your consent from when you signed up in the first place, she says. There’s nothing in the new regulations that says they have to ask for it again.
Flooding your inbox was never the goal of the GDPR. Rather, it is meant to be the EU’s attempt at reinforcing human rights for the digital age, especially when it
government to that hipster coffee shop on the corner you once gave your email address to – have been filling inboxes with variations on the same question, in anticipation of a European Union regulation that comes into force on 25 May. A central tenet of the new General Data Protection Regulation (GDPR) is that when we give consent for our personal data to be collected on signing up for services – such as social networking, online shopping or marketing emails – it must be given explicitly, not via a pre ticked box. Firms are sending pleading emails asking us to opt in so that business can continue as usual. But it may be for nothing. “It’s all rubbish,” says Lilian Edwards at the University of Strathclyde in Glasgow, UK. Many of these companies already have your consent from when you signed up in the first place, she says. There’s nothing in the new regulations that says they have to ask for it again.
Flooding your inbox was never the goal of the GDPR. Rather, it is meant to be the EU’s attempt at reinforcing human rights for the digital age, especially when it
“ Previously, we had regulations that everyone assumed they could get away with breaking” Firms in the EU can no longer rely on users’ casual consent
ticked box. Firms are sending pleading emails asking us to op in so that business can continu as usual. But it may be for nothi “It’s all rubbish,” says Lilian Edwards at the University of Strathclyde in Glasgow, UK. Man of these companies already hav your consent from when you signed up in the first place, she says. There’s nothing in the new regulations that says they have to ask for it again.Flooding your inbox was new the goal of the GDPR. Rather, it meant to be the EU’s attempt at reinforcing human rights for th digital age, especially when it Firms in the EU can no longer
rely on users’ casual consent comes to abuses of personal data. Rather than introducing new rights, it is shoring up existing ones. The UK has had good data protection principles in place since 1995, says Edwards. Now they have teeth. For example, organisations will now need to show that they have obeyed the law at each stage of the data collection and processing pipeline. “It makes data protection
a bit more than a box-ticking exercise,” says Edwards.
“Previously, we had regulations that everyone assumed they could get away with breaking.” No longer. Among the most talked-about aspects of the GDPR are the large fines that national data protection agencies, like the UK’s Information Commissioner’s Office (ICO), will be able to impose on miscreant businesses. For serious violations, companies can be hit with a penalty of up to €20 million or 4 per cent of their global turnover, which should hurt even the biggest tech firms. Don’t reach for the popcorn just yet, however. “Nothing will happen on 25 May,” says Edwards, as we don’t know how bodies like the ICO will enforce the new rules
Policing information
“How much of a difference GDPR makes depends on several unknowns, including the willingness of data protection agencies to use fines and how they are funded,” says Reuben Binns at the University of Oxford. He points out that the ICO has never imposed its current maximum fine, and that suchrestraint is likely to continue. As for funding, data protection agencies have little to work with –the ICO’s budget is tiny compared with what the legal departments of big tech firms enjoy, says Michael
Veale at University College London Partly this is a hangover from when these agencies were set up, before the explosion of the internet. “Now the same agency has to police the information society,” says Edwards. Brexit could make its work more complex (see “The Brexit factor”, below). Just how far companies can go before getting slapped with a fine could take years to settle, while courts determine interpretations of the rules. Legal proceedings will drag several thorny issues out into the light, and ultimately, the tech giants could be forced to give up some of their worst habits. Facebook is one company that could come face scrutiny. Under the GDPR, firms will not be allowed to coerce us into handing over personal data. This means they cannot make access to a service – like a social media network – contingent on the user giving up data that is not essential
to the running of that service. That might bar Facebook from turning away people who do not want to receive targeted ads based on their posts. However, Facebook could argue that this is an “essential” part of their service. Another potential flashpoint is data portability. The GDPR says that you should be able to take your data from one organisation and give it to another – for example, by downloading your Facebook data and uploading it to another social network. But expect fierce fighting over what counts as your data and what counts as Facebook’s. Does your web of social connections belong to you, or the social network? It’s unclear how such stand-offs will be resolved. In extreme cases, data protection agencies will have the power to stop companies processing data, effectively switching off their operations in the EU. “They could tell Apple to turn off Siri or Facebook to stop targeting ads at people,” says Veale. “It’s unlikely, but possible.” If such things happen, one result of the new rules could be a growing digital divide between the US and Europe. For some firms, the costs of complying with the regulations are simply too high: they are shuttering their EU operations. So far, the ones doing this are involved in selling niche services that few EU residents will miss, though a handful of online video games are also closing shop to EU players. The EU is also saying goodbye to the controversial service Unroll.me, which automatically unsubscribes users from unwanted mailing
“The European Union could tell Apple to turn off Siri or Facebook to stop targeting ads at people
lists while also selling marketing data gleaned from those users. There does not seem to be any way to square the EU’s new approach to data with the activities of businesses that profit from harvesting and selling data to third parties. That is arguably a good thing. Unfortunately, given that this is how a lot of companies operate online, many are looking for ways to avoid being covered by the new rules.In response to this, some enterprising start-ups are offering web tools that simply detect EU visitors and block them. The thinking is that if nobody from the EU can use your service, the new rules surely don’t apply. Much hype and hand-wringing has accompanied the GDPR. Now that it is here, will it have been worth it? The frustrating answer is that we won’t know for a while yet.
“We’ll see a lot of court cases,” says Veale. “Historically, data protection has not been litigated very much. This is going to change.”
THE BREXIT FACTOR
The European Union’s new data regulations (see main story) will apply to the UK in the run-up to Brexit, but what happens afterwards? Although UK data protection laws are unlikely to alter as a result of leaving the EU, the way the two exchange data may change. The EU has always made data
sharing deals with outside countries, based on whether their domestic data protection laws were deemed “adequate”. After Edward Snowden revealed the global scale of the US National Security Agency’s online snooping, the EU demanded a renegotiation.
The UK will have to make similar arrangements with both the EU and the US post-Brexit. But the EU is not likely to judge the UK kindly. Thanks to a law called the Investigatory Powers Act, the UK government runs one of the most intrusive digital surveillance schemes in the world. It also wants yet more powers. The Data Protection Bill, which Parliament passed this week, aims to exempt immigration matters from data protection rules, for example. This means the UK may find that life is tougher on the outside than in. “What few people realise is that when you’re actually in the EU, you’ve got more liberty to disobey EU law because you’re assumed to be compliant,” says Lilian Edwards at the University of Strathclyde in Glasgow, UK. “Once you leave, they will actually check.”
sharing deals with outside countries, based on whether their domestic data protection laws were deemed “adequate”. After Edward Snowden revealed the global scale of the US National Security Agency’s online snooping, the EU demanded a renegotiation.
The UK will have to make similar arrangements with both the EU and the US post-Brexit. But the EU is not likely to judge the UK kindly. Thanks to a law called the Investigatory Powers Act, the UK government runs one of the most intrusive digital surveillance schemes in the world. It also wants yet more powers. The Data Protection Bill, which Parliament passed this week, aims to exempt immigration matters from data protection rules, for example. This means the UK may find that life is tougher on the outside than in. “What few people realise is that when you’re actually in the EU, you’ve got more liberty to disobey EU law because you’re assumed to be compliant,” says Lilian Edwards at the University of Strathclyde in Glasgow, UK. “Once you leave, they will actually check.”
0 Comments