Difference between revisions of "General Data Protection Regulation"

Revision as of 18:00, 15 March 2019

The General Data Protection Regulation, or GDPR, is reform of data protection policy, created by the European Union (EU) in May 2018. This set of policies applies to all companies operating in the EU, whether they are based in the EU or not, and processing the data of individuals living in the EU. Personal data is defined as something that identifies a person. This includes, but is not limited to: name, address, IP address, browsing history, etc. The main aim of the GDPR is to “harmonise” data protection in Europe as well as protect individuals’ data privacy. The regulation took four years of preparation. Companies were given from May 2016 to May 25, 2018 to implement the new regulation and if companies failed to comply, they could face immense fines.

The GDPR has 99 articles that work to 1) protect individuals’ data in the EU, giving them control over their own personal data and 2) hold organizations accountable by mandating evidence and justification for why they are using that data.

The GDPR has a significant effect on not only countries in the EU, but also all other countries that manage and hold data of EU citizens.

History of Data Protection in the EU

GDPR was preceded by the Data Protection Directive, which was adopted in 1995. The directive addresses personal data in a broad sense, since it does not specify that personal data has to be automated in order to be regulated. The main three principles allowing data to be processed are the following: transparency, legitimate purpose, and proportionality.

Structure

Of the 99 articles in the GDPR, there are 11 chapters and 171 recitals. The 11 chapters go as follows:

• I – General provisions
• II – Principles
• III – Rights of the data subject
• IV – Controller and processor
• V – Transfers of personal data to third countries or international organisations
• VI – Independent supervisory authorities
• VII – Cooperation and consistency
• VIII – Remedies, liability and penalties
• IX – Provisions relating to specific processing situations
• X – Delegated acts and implementing acts
• XI – Final provisions

Content

The GDPR refers to three different groups in the language of the regulation. Data controllers are companies that collects data from residents of the EU. A data processor is a company that processes data for data controllers, such as a cloud service provider. These two groups are both held accountable for how they manage personal data. The other major group that is addressed are individuals and who what is detailed are their specific rights in relation to their personal data.

Right to Access

Article 15 of the GDPR allows citizens of the EU to access their own data as well as discover information about how their personal information is being processed.

Right to Erasure

Article 17 is also known as the right to be forgotten, which provides individuals with the right to demand that their personal data be erased.

Right of Data Portability

Article 20 applies to data processors and ensures that data must be available in open structures and easily accessible by the user in question, allowing the user to retrieve their personal data and take a copy of it.

Data Protection Officer

Businesses are required to appoint a Data Protection Officer (DPO. The DPO may be a shared officer amongst several institutions or outsourced. The role of the DPO is to ensure that the organization is complying to the GDPR.

Article 83 and Fines

Data protection officers are given the power to fine companies in Article 83 of the GDPR. The monetary value of the fine is €20 million or 2% of the company’s worldwide revenue (whichever is larger). For larger infractions, the fine is €40 million or 4% of the company’s worldwide revenue.

Initial Problems

On May 25, 2018, a large number of high-profile websites had to temporarily disable services in Europe. Websites such as New York Daily News, Chicago Tribune, LA Times, Orlando Sentinel and Baltimore Sun. The message on the websites would indicate that they were only temporarily inaccessible in an effort to manage compliance with the new regulations.

Legal Complaints

Almost immediately after the GDPR was officially implemented, companies such as Google, Instagram, Facebook, and WhatsApp were fined for forcing users to give consent to their personal data. The data was intended for target advertising. ^[1] Google was fined 50 million euros for not properly disclosing to users how their data is obtained. The fine against Google was the fourth fine against a company since May 2018, when GDPR was implemented. The major change that Google has to make is that they must receive consent from users before building advertising profiles from their data. ^[2]

Opting-In

Cookies

While cookies only appear in the GDPR language briefly, the changes that have occurred on many websites, in order to ensure compliance, are very noticeable. Cookies that can identify an individual are considered personal data. In general, a lot can be determined by one’s cookies, such as preferences and activity. Therefore, individuals may now notice that they must consent to cookies being used. The main change that has occurred is that websites must be explicit and detailed in asking for consent, by explaining how the cookies will be used. There must also be an option to reject cookies. The GDPR is not an attempt to eliminate cookies, but rather enforce transparency and give users the right to know where their data is going as well as manage who can have their data. ^[3]

Privacy

As technology has evolved, privacy has been compromised. Luciano Floridi theorizes about the impact that ICTs have on individuals and the defining issues of data privacy. When technology breaks the barrier of trust by taking personal information from an individual with them knowing, an individual can feel vulnerable. As Floridi says, "Confidentiality is an intimate bond that is hard and slow to forge properly… but it is also a bond brittle and difficult to restore… since the disclosure, deliberate or unintentional, of some personal information in violation of confidence can entirely and irrecoverably destroy privacy…" The clash between privacy and technology arise from the speed at which technology evolves. The problem lies in how policies to protect users quickly lose value and newer technologies emerge. James H. Moor explains that conceptual muddles develop as a result of technological revolutions. These conceptual muddles refer to the ethical dilemmas faced by both users and organizations that use technology.

An example of ethical dilemma in the context of GDPR is the fact that users personal data was previously often taken without the user having any knowledge about it. While there were often privacy statements in fine print on websites, the language was difficult to understand or not transparent enough. Moor emphasizes that policies must be put in place as the consequences of technology continue to unfold. This is precisely what GDPR aims at doing as it works to protect individual's privacy.

References

1. ↑ "Google and Facebook accused of breaking GDPR law" bbc.com. Retrieved 11 March 2019
2. ↑ "Google Is Fined $57 Million Under Europe's Data Privacy Law" nytimes.com. Retrieved 11 March 2019.
3. ↑ [1] "GDPR and cookies | What do I need to know? | Is my use of cookies compliant?" cookiebot.com. Retrieved 12 March 2019