Words by: Merve Bektas, Yasmim Pessoa, Kaia Socha, Laura Basiacco, Justyna Zawada, Artaban Micali Drossos, Luciano Morganti, Heritiana Ranaivoson
Who has not yet seen this request while navigating the Internet: “This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies”? We all did! But, let’s be honest: how many of us even know to what exactly we are agreeing to?
Yet, every day, we put our trust in the hands of companies without knowing the specifics of the(ir) terms and conditions we subscribe to. Why do we do so? Most probably, it is for the willingness to log in quickly, to buy a specific product (we cannot any more live without!), to book an Airbnb … all of this and more overpowers the burden of reading the pages we are supposed to read and agree to about those specific terms and conditions.
Can someone blame us for not wanting to read those tedious conditions? At first, this does not seem to be an important issue, but as we look more in depth, things are slightly more complicated. The data we share online (willingly and not willingly) is a reflection of ourselves: our consumer behaviour, our shopping patterns, our likes and dislikes, and even our sensitive health data… all of these constitute to build a digital version of ourselves. It comes down to the point where it basically tracks down our every move, where we have been and done in the past and what we will do next. Some data experts have compiled algorithms that can geo-locate users based on the frequency and location they share as they tweet throughout the day.
Although the European Union built a framework to protect users data with the Data Protection Directive (95/46/EC) which was implemented in 1995, with the increasingly fast development of tech giants and their new business models, this directive has now become obsolete.
The EU tried to give a response to the issue with the General Data Protection Regulation (GDPR) which came into force last May. GDPR is one of the main objectives of the EU Digital Single Market. In 2014 the European Commission proposed this novel regulation and hence, was approved. This novel regulation, proposed by the European Commission back in 2014, means that all businesses acting on the EU market, are be obliged to comply with these new set of rules.
This was necessary as, without the appropriate laws, there is little to protect us from data misuse. We learnt the lesson with the scandal regarding Cambridge Analytica and Facebook where personal data of 87 million users, of which 2,7 million European citizens, were harvested for economic or political purposes. This is precisely what we should try to avoid. There are still ongoing investigations regarding this issue, and the number of people affected by this breach could increase significantly. One could argue that Facebook got off easily with it this time since the Cambridge Analytica breach happened prior to the enforcement of GDPR. However, this incident should be taken as an example of how serious this issue is and how to better prepare themselves for the upcoming evolution and, especially, of the importance to have an EU-wide legal framework to protect ourselves from our data misuse.
Andrus Ansip, the Vice-President of the Digital Single Market at the European Commission, stated the following: “Data protection is at the heart of the digital single market: it builds a strong basis to help Europe make better use of innovative digital services like big data and cloud computing.” Another important purpose of this regulation is to grant users more control over their personal data.
Here a few points which changed on May 25th, 2018: First, citizens have the (1) right to be forgotten, which means companies must delete all personal data from their databases if asked for by users. Companies are responsible to inform about third parties who have access to the personal data. Secondly, (2) the informed consent; all users must be informed when their data is being processed. The users’ consent must be asked clearly and in an understandable language without using long terms and conditions. Third, (3) the right to information and transparency, users must be informed at all times about how their data is processed and for which purposes. Companies are being required to send out a (4) breach notification within 72 hours. Companies who fail to comply with GDPR can be (5) fined up to 4% of their annual global turnover.
All European citizens should be aware of these few, yet extremely, important points and the relevance the EU has given to personal data protection. We should also be less naïve and take the time to read those tedious terms and conditions that one day we might discover to be relevant and important.
There is, however, a need to assess the impact of the regulation on online service providers’ behaviours. As long as there is an economic incentive to use, and abuse of, personal data, such providers will be tempted to look for ways to circumvent the GDPR.
This blog is part of the BrusselsTalking Lecture Series held at the VUB in the framework of the Masters “New Media and Society In Europe” and “Journalism and Media in Europe”. Read more interesting blogs on https://brusselstalking.blog