New EU Privacy Law
Many online users have likely noticed an influx of emails, from some companies, highlighting new privacy policies and user agreements online in cooperation with new EU laws.The new General Data Protection Regulation (GDPR) will be the most significant data protection overhaul in two decades starting from 25th May, replacing the out-dated and much criticised 1995 EU Data Protection Directive (DPD); it seeks to address the growing challenges of globalisation and international data flow, as well as improving user control over their own personal data online. The new laws will strictly apply to all companies operating in the EU, no matter where they are based.
Why Change the Law?
The 1995 Data Protection Directive was first introduced for the enforcement of privacy as a fundamental human right, giving people protection over their personal data. With the dawn of IT and computer systems as early as the 1970s, the EU proposed measures to regulate the online flow of data and have continued to adapt their legislation to accommodate further evolving technology. However, in light of the recent Facebook/Cambridge Analytica scandal, and other similar situations, questions have been raised regarding the effectiveness of the current law to protect consumer data from being misused and exploited.
Facebook is not the only company guilty of passing on user information to third parties; news media report commonly occurring breaches and misuse of personal data including the Equifax data leak, where millions of users’ personal information was breached, and even the British police force, where personnel were found to be mishandling sensitive personal data. Researchers at Baldwin Wallace University also found that 40 out of 800 mobile apps they tested exploited user information without permission; they found there was a common risk of data being passed on to advertisers and other third parties without the user’s knowledge. With user data stored on numerous websites and mobile apps, it is no wonder there have been calls to update the EU legislation after more than a decade.
In the digital age of business, personal data is regarded as the basic currency of the information economy; it acts as a key component for business competitiveness, allowing companies to better understand their market, or even innovating new products and services by discovering new markets through better understanding potential consumer needs and demand. Hence, when using free mobile apps and online services, there is a possibility that “ if you’re not paying for it, you’re the product..”
What Improvements Does the New GDPR Offer?
With personal data being an economic driver for businesses, it is no surprise that the EU has called for stricter regulations to protect consumers. However, there are many obstacles the new law has to overcome in a fast-paced digital age.
Many critics argued that the data protection directive failed in three main areas which the new GDPR aims to address:
1. Lack of Transparency between personal data and privacy: Privacy policies are generally written in lengthy and complicated terms that users may not necessarily understand or even read. Also, some companies do not inform users when there is a data breach or when their data is stolen.
2. Rules on data export and transfer to third countries: Businesses do not require affirmative consent from users to process and pass on their data to countries outside the EU. In other cases, this is done without the user’s knowledge as silence can be considered as consent.
3. Weak rights when it comes to user control over how their data is used: Users can find it difficult to gain access to the data stored about them or to request its removal.
The new law as a whole aims to harmonise data laws across the EU, while giving protection and rights to consumers regarding their personal data online. The most significant change that GDPR introduces to address these issues is its extended jurisdiction that will apply to all companies that process the data of users residing within the EU, regardless of whether that company is located within the EU or not. This move appears to be in direct response to allegations of the NSA snooping on EU citizens’ data, as well as ensuring big international tech firms like Facebook are still held accountable by EU laws. Furthermore, the EU plans to hold all companies accountable to the law by enforcing heavy fines up to 4% of annual earnings or €20 million to those that fail to comply.
The GDPR also plans to extend users’ rights to privacy through its ‘right to be forgotten’ that entitles users to have their data deleted upon request by any company that stores it. This can be done if the data processed is no longer relevant to its original purpose or by a user withdrawing consent at any time. To improve transparency, companies will also be obliged to provide a copy of the personal data a user has given to them upon request at any time.
Other changes also further extend consumer rights such as the responsibility for companies to inform users as quickly as possible whenever there is a data breach that puts the rights and freedoms of individuals at risk. This measure addresses previous cases such as the Equifax one where companies have failed to inform consumers or tried to cover up when there has been a data security breach. These new rules will give greater responsibilities to companies to ensure that data is processed correctly with explicit consent, while also ensuring users that their data is stored securely. Any company that fails to comply with any of the measures specified by the new law could risk massive fines.
GDPR and the Future
Only time will tell if the GDPR will successfully tackle the issue of data exploitation. The call for change from the 1995 DPR already showed how technology could potentially evolve in such a short time, calling for new adaptable laws. In the short term, some companies, particularly smaller ones, have reported some difficulties adapting their systems and business practices to comply with the new regulations.
For the most part, the law appears successful in its aim to empower consumers in the face of growing online business trends. Big online companies like Amazon, Google and Facebook, will face the biggest challenge in light of the new GDPR measures, especially those that advertise based on users’ browsing habits. Overall though, it was only a matter of time before a law like GDPR was bound to hit online companies with the big boom of online business and growing user concerns regarding data misuse and privacy.
Written by Edward Mah for Together Abroad