“We have updated our privacy policy” – a closer look into GDPR
I’ve received more than 17 emails from the services with that exact subject. And I’m not the only one who’s inbox has been flooded – here’s why.
Europe’s General Data Protection Regulation, otherwise known as GDPR, is a set of new regulations that has the potential to fundamentally flip the – increasingly strained – relationship between the massive technology companies that gather data and the users from whom they gather it.
The issue of privacy in the tech world has been ballooning at a formidable rate, notably with the widespread coverage of the investigation into Facebook’s data privacy practices after the infamous Cambridge Analytica scandal earlier this year.
The GDPR, which became enforceable from 25th May 2018, is a set of regulations passed by the European Union in 2016, setting stricter rules policing how companies manage and share the personal data of users. In theory, the GDPR only applies the data of EU citizens. However, the global nature of internet services means nearly every online service is affected, and the regulation has resulted in significant changes for users all over the world as companies globally scramble to adapt.
Much of the GDPR builds upon rules set by earlier EU privacy measures such as the Data Protection Directive and Privacy Shield, but there are some crucial aspects of the GDPR that warrant a closer look.
Firstly, the GDPR sets a higher bar for companies to obtain personal data than we’ve ever seen on the internet before. For any instance where a company collects personal data on an EU citizen, it will by default need explicit and informed consent from that person. The GDPR also enforces that users have “the right to be forgotten”. In other words, users need to be given a way to revoke that same consent.
Users should also be able to request all the data a company has on them as a way to verify that consent. This concept has been present in previous iterations of privacy regulations, but the GDPR ensures companies give individuals access to the information that organisations hold about them free of charge. Prior to the GDPR, there was a £10 fee for a Subject Access Request, which businesses and public bodies can charge in order to release any personal information. However, the GDPR means this fee will be scrapped, and requests for personal information can be made free-of-charge and must be released within one month.
These changes make the GDPR a significant improvement on existing requirements, and it explicitly extends to companies based outside the EU.
The tech industry has, especially in recent years, become used to (and highly dependent on) collecting and sharing data with little to no restriction. Furthermore, that freedom has been the primary business model of several companies. The GDPR gives users more control over their data, and also pushes for innovation in the way that online advertising is currently targeted. For companies that have for far too long operated under the rather irresponsible principle of ‘extract as much data as possible and figure it out later,’ reorganising under GDPR will be a pain. Part of the problem is how companies’ data solutions are set up, and a portion of it is that ‘personal information’ is a wishy-washy category. Names, email address, phone numbers, location data – those are the obvious ones. But then there’s more ambiguous data, like ‘an oblique reference, like the tall bald guy who lives on East 18th Street.’ Such data would be hard to organise, and that makes GDPR-enforced Subject Access Requests particularly difficult to handle.
To be fair, GDPR as a whole is a bit more complicated than what I’ve illustrated above. Alison Cool, a professor of anthropology and information science at the University of Colorado, Boulder, writes in The New York Times that the law is “staggeringly complex” and practically incomprehensible to the people who are trying to comply with it. Several scientists and data managers she spoke to “doubted that absolute compliance was even possible.”
At the end of the day, the effectiveness of GDPR will only be seen as time passes and will depend quite heavily on how strictly it is enforced. But users like you and me can take steps to be more aware of the rights that we have over the data that we so readily hand over to companies. For starters, go take a look at your Instagram app’s settings page. It looks vastly different to how it a few months ago – and that’s partly attributed to the GDPR.