New personal data privacy law highlights the vast difference between Europe and the US
- GDPR confers right of control of control over personal data to Europeans
- Privacy by design and default becomes law this Friday
- Streamlined regulatory environment will also affect the US
- London and New York: A tale of two cities
This Friday, all across the Europe Union and the European Economic Area, the GDPR (General Data Protection Regulation) becomes law. The ground-breaking legislation is designed to protect the privacy of all individuals within that entire geographic area and also addresses the export of personal data outside the EU and EEA. What the GDPR does is to confer on European citizens and residents the right to control over their personal data and to streamline the regulatory environment for international business having any dealings with the EU or EEA. Thus, although the GDPR is a European initiative its provisions will also have a profound effect overseas, not least in the US.
Henceforth, business processes manipulating personal data must be built with "privacy by design and by default". In other words, systems must be designed from the very outset to comply with the strictest levels of data protection and security that must already be in place. From now on no data is publicly available without the explicit consent of the subject and cannot be used to identify anyone without additional information that must be stored separately. What's more personal data may not be processed in any way other than under the law as specified by the GDPR or unless the data's owner (i.e. the individual concerned) has given provable explicit opt-in consent - and that consent can be withdrawn at any time.
Any organisation, body or company processing personal data must disclose to the owner exactly what data is being collected and how, why it is being processed, how long it is being retained and if it is being shared with any other parties. Users have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances. Public authorities and businesses whose core activities are based on the regular or systematic processing of personal data, are required to have a Data Protection Officer (DPO), who is responsible for managing compliance with the GDPR. Businesses must report any data breaches within 72 hours if they have an adverse effect on user privacy.
It is a massive change and some big companies (and we all know who they are so the likes of Facebook, Google and Amazon take note) will soon find that their days of cavalier, free-booting and often downright disingenuous approach to data privacy are drawing to a close. The European worm has turned and the knock-on effect around the globe will be very significant.
The land of the not so free after all
That's why a revelatory article in today's New York Times is of particular interest. The piece makes no claims to scientific rigour but as an exercise in illustrating the differences between what now pertains in Europe, in contrast to the US, in as far as the disclosure by web scale tech companies of the data they hold on individuals it is salutary indeed. Two New York Times correspondents, one in the UK (which is still an EU member state and will continue to abide by the provisions of then GDPR post-Brexit) and the other in the US, decided to test how comparatively easy (or difficult) is to access their personal information on either side of the Atlantic. Unsurprisingly, Europe wins, hands down.
Prashant in London and Natasha in New York asked Amazon, Facebook, Google, LinkedIn, Twitter, their mobile service providers and marketing analytics companies to provide them with copies of the information they hold on them. The differences in the responses were stark: from web analytics marketing company Quantcast, Prashant in London got a spreadsheet with 200 rows of data tracked from his online activities containing a scary amount of details about his personal life. Natasha in New York got a single row of data showing that she once read an article on Forbes.com. Much else is held on her, of course, but none of it was revealed under US law.
Quantcast's report to Prashant contained 343 "marketing classifications" obtained from data brokers. Amongst the welter of detail were items showing that he had used the OpenTable app to book a meal at a particular restaurant, that he had read a CNN article on President Trump’s new steel and aluminium tariffs, is considering buying a new mobile handset and taking a holiday in South Africa. He is classified as a "heavy spender" (on pet food), owns a flat screen TV, likes biscuits and chocolate and doesn't smoke.
The analytics engines also concluded that Prashant could be a woman over the age of 65 and owns a car. He isn't and doesn't. And as for Natasha? All she got was data on the aforementioned Forbes article. That was it. She still has no idea what information the various companies she approached have on her. Quantcast later told her that it had actually sent the one item of data to her in error "because consumers in the United States do not have a comprehensive right to obtain copies of the data held by American companies."
Unsurprisingly given past incidents Amazon's much vaunted transparency remains as opaque as ever. In the UK Prashant did get a basic list of his order history, credit card details, the data addresses of his subscription to Amazon Prime, his wish list items and the devices he uses to access Amazon's various services. He followed up with a request that he be provided with details of his video-viewing data Amazon told him it is "committed to complying" with the GDPR and was looking into it and would send him the data in due course. He's still waiting for it.
Natasha's experience was much worse. She wanted the complete history of her Amazon account. In reply she got an email telling her to phone the company. After being on hold for many minutes she was told that Amazon keeps the records it has on her "for business purposes" and would not disclose them to her because "it's all private."
Neither Twitter or LinkedIn provided her with the information she requested. Facebook told her that the site's self-service data download tool “has been reviewed by our data protection regulator” and would allow her “to access all of your Facebook data.” The company told Prashant in the UK that the self-service tool would allow him to access only “the Facebook information available to you” and that the company “isn’t able to provide additional information.” Incredibly, T-Mobile told Natasha that they would release her phone records to her "only if it receives a subpoena" forcing it to do so.
Trouble is looming for these overweening organisations and their ilk. That's why Zuckerberg has decided to come to Europe and prostrate himself before the regulators and legislators. He knows it's his last chance. Social media sites have had it their own way for far too long and many have proven themselves, time and again, to be utterly untrustworthy. On Friday when the GDPR becomes law, and they are found to be in breach of it, they can be fined four per cent of annual global revenues - and not just once. Repeated contraventions will attract repeated penalties. Wonder who will be first to be made to pay up?
One point though: OK so they comparison between Prashant is subjective and anecdotal (and informative) but one wonders what the results would have been if one person had requested their data on both sides of the Pond.
Sign up to receive TelecomTV's top news and videos, plus exclusive subscriber-only content direct to your inbox.