Privacy and GDPR
Remember privacy? I vaguely remember a brief time before social media and data analytics, when it felt like I had some control over my personal information, and had a good handle on who had access to my private data. Now, I’m overwhelmed by the thousands of pages of terms and conditions I fly through as I sign up for one more service to improve my life, or, you know, just to be “on the grid.” After all, I can’t exactly pack my family up and move to the woods, at least not without some really good bug repellant.
There may be some good news on the way. You may have heard of a new law, GDPR, or the General Data Protection Regulation. The European Union (EU) developed the law, which goes into effect May 25, 2018. It applies to any organization that handles the personal information of any resident in the EU, regardless of where in the world that organization is located. GDPR requires organizations to maintain the privacy and security of any EU resident’s personal information and must comply with new rules around the collection, analysis, and disposal of that information. Under the new law, EU citizens have the right to know where and how their data is being used; data must be up-to-date and accurate; it must be reasonably protected from theft or misuse; and it may be deleted (in some cases) at their request. The law intends to cut down on a lot of the buying and selling of information that consumers have little awareness or control over.
The EU will hit companies in the wallet if they don’t abide by the new law (up to 4% of their global revenue, so nothing to sneeze at).
Okay, so this is great for Europeans, but how does this impact citizens of the US? Well, many of the companies you do business with (Google, Facebook, international banks, etc.) have customers in Europe, and have been scrambling over the last couple of years to ensure that they are compliant with the new law. Not surprisingly, many companies are rolling out changes to their entire user base rather than only their EU customers, (mostly because it’s really complicated to separate customers into different buckets to comply), so you may very well benefit from the new protections offered under GDPR. You have probably been seeing (or will see) new terms and conditions being rolled out for some of the larger institutions you do business with.
Wait, so does this mean privacy is a thing again, and we won’t have another Facebook-style Cambridge Analytica fiasco where our data is shared without our knowledge or explicit permission? Well…..probably not. First, this law applies only to EU citizens, so you won’t be protected if Facebook doesn’t follow the rules here; also, many companies will simply pull out of Europe (or never had customers there to begin with), so you won’t see any new protections there. Second, evidence points to the fact that laws like this tend to be a great start, but companies find a way to comply with the letter of the law without following the spirit of the law (e.g., by having you click an extra button to accept that your data may be used, without making it clear by whom or how). Third, unfortunately, many companies may use this as a reason to provide less transparency around their practices, in the name of protecting data, when it may make it more difficult to see what is actually happening with that data.
I, for one, am hopeful that this legislation will make a difference in this area, since it does seem as though lawmakers have put real thought behind the law. It appears they are wise to the shenanigans many companies pull to sidestep privacy protections (like the 900 page terms, which are hopefully remedied by the law’s requirement to provide unambiguous, specific affirmative consent prior to information being used). I do hope this provides a roadmap for US legislators to update our privacy laws. In the meantime, I have to consider that move to the woods. It’s getting hot now, and I kind of like air conditioning.