GDPR Goes Live – What Exactly This New Data Privacy Law Means for Users
Everyone seems excited about the new privacy rules, the General Data Protection Regulation (GDPR), that came into force today in Europe. GDPR promises to bring the focus back to users, giving them some control over their data. Offering the strongest protections seen so far, GDPR is applicable in all member states of the European Union, harmonizing data privacy laws across Europe.
By now you must have received many emails asking you to give your consent. From simple newsletters to major tech companies like Google, everyone has been hustling to get user consent even if they had already given their consent. Only a minute ago, Disqus showed this screen to ask for my consent:
But, criticism will certainly follow a law that promises to offer the strongest protections that we have ever seen in a world where privacy is but a myth. However, many hope that other countries and even the EU will continue to evolve these rules to make sure companies don't get away with everything by asking for a simple consent.
What exactly is GDPR - some highlights
The European Parliament adopted the GDPR in April 2016, replacing a directive from 1995. GDPR is a regulation that requires businesses that collect data from European users to protect personal information and privacy of EU citizens. These rules govern how companies protect user privacy, store user data, and how this data is exported outside of the EU.
GDPR protects personal data, including:
- Identity information - name, address
- Health and genetic data
- Biometric data
- Location data - IP address, cookies
- Racial, ethnic data
- Political opinions
- Sexual orientation
If you have been wondering how GDPR is giving you control and what exactly is this law all about, here are some of the key points of this new regulation.
- Consent must be "freely given, specific and informed as well as unambiguous"
This is one of the core principles of the 99 articles put forward by the GDPR. The law demands the companies get consent through a "clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her."
- Companies cannot process personally identifiable data
Article 9 of the GDPR says that the companies cannot process personal data that reveals:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data for the purpose of uniquely identifying a natural person
- Data concerning health or data concerning a natural person’s sex life or sexual orientation
Unless, consent is given or there is a legal reason to process the personally identifiable information.
- Companies must have a specific reason to process data
Under Article 5, the GDPR demands all companies must collect data for specified, explicit and legitimate purposes. This essentially means that anyone who claims they have a need to process user data should have a clear reason to do so (there are 6 reasons given in article 6).
For example, Wccftech recently asked its newsletter subscribers if they are willing to let us continue storing their data, which includes their names and email addresses. Since newsletters cannot be sent without these details, it makes for an "explicit and legitimate" reason to store and process data.
- Users will have the right to withdraw consent at any time
You felt like giving your consent to Facebook to store your data in 2012. Shouldn't you be able to remove that consent years after you first gave your agreement? GDPR gives EU citizens a right to withdraw their consent at any time. "The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal," the law says.
As long as it's easy for users to withdraw their consent, there shouldn't be any problems for the users or the companies.
- Data must be stored securely
Passed in 2016 - known as the year of data breaches - GDPR tries to limit data exposures by demanding companies store and process data in a way that ensures the security of personal data. This means that even if you have agreed to share your personal data with a company, it doesn't mean that you are okay with them being irresponsible with this data.
In case the company suffers a breach, your data should be stored in a form - anonymized or encrypted - that it cannot be used by anyone else other than the company that had received your consent.
- EU citizens will have the right to be forgotten
While we have heard a lot about privacy policies and how consent is given, there's more to GDPR than just clicking on the Agree button. Article 17 of the GDPR gives EU citizens right to erasure aka right to be forgotten. This has already been in place as we had previously reported on how Google made its decision on what requests to comply with and what to ignore (read: criminal politicians trying to rewrite history).
"The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies," the law reads.
- Children need parental consent
GDPR requires companies that process data of those under 16 years of age to ask for consent from their parent. Facebook already implemented this feature, however, it is yet to be seen how can companies avoid being tricked by children who can show their friends as their parents (at least in the Facebook case).
GDPR does put the responsibility of this on the companies who process data to "make reasonable efforts to verify" that consent is being given by "the holder of parental responsibility over the child."
- Right of access aka all those "download your data" tools
We shared a number of articles detailing steps that you can use to download a copy of all the data that a certain company holds on you. Some companies like Google and Apple offered this ability before GDPR. Others like WhatsApp started doing so to comply with the GDPR rules.
This article effectively gives you the right to get details from the company that holds your data whether they are processing your data, on what categories, for how long they have stored this data, and if the data wasn't directly collected from the user then what is their source.
Apparently, this article is being used in Europe to see how credit rating companies acquire their data and how transparent their processes are. As we previously said, GDPR isn't just about compliance, it's going to result in a lot of headaches for a lot of companies who have to follow these user requests, as well.
This one is also an example of how GDPR isn't just benefitting those inside Europe but people elsewhere too. These data download tools have been made available by all the major companies to all of their users worldwide.
- You have the right to get your data deleted or rectified
You will now have to right to demand companies to correct your data if there is any inaccurate personal data being stored. You will also be able to demand the data controller - that is, any company storing or processing data - to permanently delete it.
- You can take your data anywhere you want
A company like Facebook or Google holds a lot of data on you. If you decide to stop using any of their services, this shouldn't mean that you lose all of the content created during that time. GDPR gives Europeans the right to data portability.
Companies have to provide all of the data stored on a user "in a structured, commonly used and machine-readable format," so that you can take that data to another company at any time you want.
The General Data Protection Regulation gives several other controls and rights to the user. The regulation has also expanded the scope of what must be considered to be personal data. Along with protection of personal data, GDPR also requires companies to notify users within 72 hours of a data breach or face massive fines. While we may feel as if we are being railroaded into giving our consent, the new privacy rules offer several additional protections that a European user can use to strengthen their privacy and demand further protections.
The real reason why these rules will hopefully be able to stop these data monsters in their tracks is the fines that can go up to 4% of their annual global turnover, or €20 million, whichever is higher.
- Do you think GDPR is going to start a new era of internet where users get back control of their data? Or, do you believe if privacy is indeed a myth? Don't forget to share your thoughts.