You must have noticed the barrage of emails announcing the General Data Protection Regulation (GDPR) going into effect on May 25, 2018. Six years in the making, the General Data Protection Regulation regulates our approach to data privacy.
We will dive deeper into GDPR, how it affects you, and implications for the future. We will explore the interesting work that other companies have done to comply as well as highlight interesting parts of the regulation. I am not a lawyer and this is not legal advice.
Does GDPR apply to me?
Most probably yes. If your business provides goods or services free or for a fee to people residing in the EU then you are definitely affected, especially if you are collecting data (email addresses are data).
Before GDPR, you had to comply with European Regulations only if your data/website/app was served on European Union soil (for example, only if your servers were in European Union Territory).
Now the mere fact that you provide goods or services or monitor behavior of a data subject in the EU means you must comply, even if you are headquartered in the Cayman Islands and all your servers are in Singapore. If you have an app in the iOS App Store or in Google Play open to the public, then you must comply.
If you are not compliant (you can read the official regulation here), you might want to block European users as many US news outlets did. Today, companies are scrambling to become compliant (even though they had about 2 years to do so).
What should my business/app/website/company/startup do?
The following applies to services and goods you provide to data subjects in the EU. You only need to comply for your customers in the EU. But it’s tricky. If a customer opts-in in the US but then moves to Germany, how do you make sure you are compliant for that person?
The safest way is to enable compliance for all territories, across all your domains, across services you provide worldwide.
Here are the most interesting things that your business needs to do.
Ask People to Opt-in for Everything and Add Opt-out Option
Websites/apps/services must explicitly ask for our data, make sure we opt-in for it to be collected (including cookies), and provide an easy way to opt-out.
This includes opt-in/out options for communication: phone/email/text as well as collecting data about the user. See more examples.
Companies must update their privacy policies and make them easy to read and understand. It must list every third party tracking software. This is why we have been getting all these emails. Basically GDPR requires easily understandable privacy policies and options.
Report Data Breaches Immediately
In case of data breach, authorities must be notified within 72 hours, and impact assessment must be made. Those affected must be informed as soon as possible. This means you won’t have to wait 6 months to find out your email address and password was leaked. We are looking at you, Equifax!
Equifax reveals full horror of its data breach – “146.6 million names, 146.6 million dates of birth, 145.5 million social security numbers, 99 million address information and 209,000 payment cards (number and expiry date). There were also 38,000 US drivers’ licenses and 3,200 passport details.” from r/technology
Comply or You Shall be Fined
The fines are high. Comply or you will be fined heavily. Facebook & Google have already been hit with GDPR lawsuits. Google and Facebook have already been hit with lawsuits as well as Amazon, Apple, and Linkedin. Others are probably going to follow.
Google and Facebook accused of breaking GDPR laws https://t.co/Kez8BVSp90
— Hacker News (@newsycombinator) May 25, 2018
Privacy for European Citizens vs All
If you are a European Citizen you are provided the following rights by law. If you don’t live in the EU, you don’t get the same rights, but you might because a company decides to enforce GDPR for its customers regardless of location.
Right to Change Settings at Anytime
You can change your opt-in/opt setting at any time with ease.
Right To Access and Download Your Data
You have a right to download and access your data and delete it at any time. Google and Facebook did this a long time ago, so now everyone must.
The law is indeed messy. The GDPR tried to remove a lot of ambiguity and uncertainty about previous laws. It tried to protect residents of the European Union and enforce laws for all business in the European Union or those dealing with European residents. The problem is it’s really hard to figure out what to do in certain situations. Here are some ambiguous examples.
Notification Period for a Data Breach: The Target Hack
What is “as soon as possible”?
The law doesn’t set a specific time limit and it is up to interpretation on what the time frame is. I think we will need stricter laws for them to become useful and we will see lawsuits because companies will be too lax on notification enforcement. Who is going to enforce “timely” and “as soon as possible”? Is 72 hours a good time? We are looking at you, Target! You knew about the breach. Target was fined $18.5m for the breach which affected 41 million customers.
The Global Citizen and the VPN: The Google Tracking Scandal
We are now more connected more than ever before. We are connected by fast airplanes and cars. A lot of borders are open and people travel frequently. It is hard to apply the GDPR for those traveling in and out of the EU. It is extremely hard to determine who is an EU resident. What if someone uses a VPN to mask their real location? What if someone in Brazil uses a European VPN and what if a European person uses a Brazilian VPN location?
Google was tracking user locations even when the “location tracking” setting was off. Now imagine you cross international borders and the laws are different and you go back to being under surveillance.
Artificial Intelligence Remembers Forever: Revisiting Cambridge Analytica
Artificial Intelligence remembers data forever. When we teach a computer about your behavior it is extremely hard if not impossible to remove your data from the computer without basically destroying the entire learning of the computer and re-teaching it everything.
If Netflix built an AI that knows that because you like action movies, you will like the new James Bond movie, but you ask for your data to be forgotten, Netflix will need to delete their entire model for their AI and retrain it without your data. The law is not clear about whether Netflix is required to retrain their AI in this case.
The Fines are Too Low
The fines are too low in my opinion. Monetary fines are not enough. Sometimes the impact of a data breach could be severe hardship and financial losses, and stress for affected users and their family members. I believe that negligence in data breaches, protection, and privacy should be covered by criminal law and punishable by imprisonment. Banks and corporations should be held accountable for the consequences of their actions.
Two Canadian Banks, BMO and CIBC, were breached earlier this week (Monday May 28, 2018). This is unacceptable. Today’s corporate risk strategy doesn’t emphasize data security (because honestly the risk to the business is not as great as the investment in security). It’s only because companies lose money when they get breached. Companies might not care about users. In order to raise the stakes for the companies, the charges for violating privacy should be criminal because people’s lives could be completely destroyed by a data breach.
Global Privacy Regulation
As companies and websites scramble to become GDPR compliant (and yes, every global website probably needs to be compliant), this marks only the beginning of the next stage in privacy regulation.
Other countries must start implementing their own privacy regulations. We truly need global privacy regulation just like we needed global Intellectual Property and Patent laws. It is inefficient, confusing, and hard to enforce regulations that are not global when we are talking about data over the internet.
Lawsuits and Courts Demystifying the Laws
There is a great deal of ambiguity in every law. The next couple of years we will see more lawsuits regarding GDPR and privacy law. The courts will help clarify all these laws and their subtleties. It will be interesting to see the ethical frameworks being formed in order to tackle digital privacy law.
US Regulation and Privacy
The US is home to some of the biggest tech giants and collectors of a lot of personal information (Google and Facebook), therefore privacy regulations in the US will have a great impact on data privacy regulations across the globe. Between Snapchat thinking it’s not a Facebook and the US Congress being clueless about the internet while questioning Mark Zuckerberg, the privacy law climate is ready for new regulation. Everyone is waiting for the US to follow suit with their own privacy regulations. The Consumer Privacy Bill of Rights introduced in 2012 never got any traction (around the same time discussion about GDPR started). More work is needed and we are all waiting.
The views presented in this article are Abdallah’s and don’t represent the views of his employer or Software Engineering Daily.