How is your privacy handled?
It is hard to imagine the current online sphere without running into privacy related news, measures and actions. In this post we will be exploring the developments from a European perspective by looking closer into the General Data Protection Regulation (GDPR). Although we might be able to follow the new developments concerning privacy regulations and breaches, it is sometimes hard to relate to it on a personal level. What do these things mean for us as European citizens? What are our rights regarding online privacy, and how do they differ from other places in the world? This blog is an attempt to create a better understanding of this subject. We will share the basics of privacy regulation, write about new developments concerning this subject, and share tools and guides that can be used to safeguard your privacy.
“So it appears that even one year after the GDPR came into force, many consumers and business leaders still do not understand the law. Indeed, the lack of understanding and awareness among consumers may be part of the reason more small businesses don’t prioritize GDPR compliance. We believe data privacy and security are important values and crucial to building a better Internet.”
The quote above is stated on the official website of the EU General Data Protection Regulation (GDPR). In specific the quote is derived from the 2019 GDPR Small Business Survey which was an attempt to measure the understanding of data protection regulation among small business leaders and consumers exactly one year after they were announced. So, it seemed that while there had been some progress in building a safer internet, many European citizens remained unaware of their digital rights and how to exercise them. Since that time a lot of information regarding this subject appeared on the Internet, but sometimes it can seem like most of it is in regard to what GDPR regulations mean for businesses. In this blogpost we will try to condense some of the information that considers you, a European citizen, instead. Let’s try to unpack some questions around this subject in the following sections to make things a little more comprehendible.
“GDPR who?”
The General Data Protection Regulation (GDPR), in effect since May 2018, replaced rules of separate EU member states and data regulation that were over two decennia old. Their main purpose is to protect the personal information of individuals. You can imagine that the need for data protection now has a bigger scope than it did in the ’90’s which was when the regulation first came about. The emergence of social networks has made people share a big deal of personal information online, which calls for a stricter handling of this data. The EU is now in fact the region with the world’s strongest data protection rules. The rules apply to organizations based in the EU that collect and process data from EU residents and to all non-European organizations that process data of individuals located within the EU. All this needs to happen on the conditions that the individual in question (also referred to as the ‘data subject’) has given consent and can access their data, change it and have it removed when they want to. Companies and institutions can be fined up to 20 million Euros when not complying with the regulations. What falls outside of the GDPR’s scope is the data collection of activities that are not related to commercial or professional activities. So, this could for instance be a personal or household activity that is not connected to a commercial or professional activity. All this is a way for people to be more informed about the traces they leave online, and to give them real agency in the decisions they make online. Before these regulations were in place it was possible for websites to save a big deal of personal information about their users without having to inform them they did. By leaving users in the dark, the reasons for keeping this information remained undisclosed as well. The GDPR is supposed to make an end to this omission of information and increases user-control over personal information when browsing the Internet.
Click for GDPR explained with an example
Basically the GDPR involves three players: the data controller (the responsible company or organization that keeps the data for a certain purpose), the data subject (the individual that shares their data) and the data processor (a legal person that processes data for the data controller). An example of this could be a social network site. Through this site you have an account through which you provide personal information to build your account and connect to other people. In this case you are the data subject and the social network site is the data controller. The site then needs to make sure to hire an independent data processor (which could for instance be a part of the IT-team) to make sure the data is handled in compliance with the rules.Want to ruin the surprise?
“But what does GDPR have to do with me? Oh, cookies…”
It thus seems that the EU is a pioneer in implementing data-security measures. But it might still be pretty abstract to the average internet user what these measures do. The most obvious way we can see the effects is probably by referring to the “cookie consent” internet-users have to agree to when making use of commercial or professional websites. Cookies are small text files that are stored on your computer when browsing, and which enable different website functions. In some cases, cookies are strictly necessary for a basic functioning of the site and expire after one ‘session’ of browsing. These cookies are placed on your device directly by the website itself and usually they are ‘first party cookies’. However, it is not these types of cookies that one has to consent to. The cookies we are concerned with are persistent third-party marketing cookies and they are often discussed in relation to privacy risks. They will stay on your hard drive until you remove them or when they expire. “These cookies track your online activity to help advertisers deliver more relevant advertising or to limit how many times you see an ad. These cookies can share that information with other organizations or advertisers”, and “Given the amount of data that cookies can contain, they can be considered personal data in certain circumstances and, therefore, subject to the GDPR”. Being able to say ‘no’ to these trackers or to adjust settings gives users and consumers an increased level of agency when using the Internet.
Why say no to cookies? Click here to find out more
We will again take the example of the social network and relate it to persistent third-party tracking cookies. The information you provide on a Social Network Site (SNS-site) is sold to 3rd parties that will pop up in your feed with targeted advertising. This is the business model of a lot of big platforms. When you click on them, they make money. But it’s not just the clicks that they save information about. Trackers can also see how much time you spend when scrolling through an ad or see how active you are on different parts of a website. This isn’t just limited to particular sites you visit; if you have a Google, Facebook or LinkedIn pictogram in your browser and are logged in to these accounts while using your browser, this allows them to track you on all sites you use that have a Facebook, Google or LinkedIn pictogram. This information about you is saved and linked together, which is the reason you want to consent with caution instead of blindly accepting a number of cookies to be stored on your device. — Between first- and third-party cookies there are many different types of cookies, that each have their own duration, provenance and purpose. You could watch the video down here to see how ads follow you around on the internet. You could also read more about types of cookies and their workings here and here.If you’re getting a bit tired of reading, here is a good explanation about cookies and ads by Vox News.
But in some cases, obtaining lawful consent remains to be an issue, as information about what exactly you are giving consent to is not communicated clearly: “When you use websites and apps, you don’t read every word on every page - you skim read and make assumptions. If a company wants to trick you into doing something, they can take advantage of this by making a page look like it is saying one thing when it is in fact saying another.”(https://darkpatterns.org/) So although giving cookie consent involves the user taking an active decision and most consent buttons are switched off by default, you don’t always take the time to think about what you are declining or consenting to if you are looking for quick information on different websites: “for example, when we want to get rid of a particular distraction (a banner), or we’re in a hurry to get something done (sign up to a social network).” Imagine you are visiting a website and a banner pops up asking which cookies you want to accept or deny. In this case your decision could be based on things like the coloring, the placement of the buttons or even the size of the banner. That means that these banners can also be designed in a way that makes you act in a way you didn’t intend to, for instance by accepting all 3rd party cookies. This is a phenomenon called ‘dark patterns’. While the rules against dark patterns and inaccurate information about the working of cookies on websites have been in place since even before the GDPR, the European Parliament has struggled to enforce them as they are lacking a common methodology for identifying them.
“So, is Internet use for European citizens more secure than that of other world citizens? Or not really?”
When traveling outside of the EU you won’t find many places with similar regulations, and your online privacy might not be secured in the same way. However, it seems that recently a few other countries have started implementing some new data protection rules, which is something that can be seen as the “Brussels effect”: “a phenomenon wherein European laws and regulations are used as a global baseline due to their gravitas.” ‘Gravitas here relates to the EU’s commercial significance. Since a big number of companies and consumers are based in the EU, it forces them to take comply with EU rules. A few (member)States and regions in which we have seen de Brussels effect take place are:
Nigeria: One year after the GDPR came into effect Nigeria’s implemented it’s Data Protection Regulation. Many of the concepts in this regulation mirror the EU GDPR. “(…) the level of compliance is now growing at a fast rate, making Nigeria the leading nation in Africa in terms of data protection.” It seems that president Kashifu Inuwa Abdullahi used it as a move that was especially directed towards the banking world and gives Nigeria a strategic position on the market. Simultaneously, a number of Data Protection Compliance Organisations was able to create nearly 3000 new jobs.
California: A more recent development is California’s Consumer Privacy Act that gives consumers more control over the personal information that businesses collect about them. This landmark law secures new privacy rights for California consumers, including: the right to know about the whereabouts their personal information is kept, to be able to delete it this information, to opt-out of the sale of this personal information and the right not to be discriminated for exercising these rights.
Brazil: This year also the Lei Geral de Proteção de Dados was announced. This regulation “(…) creates a legal framework for the use of personal data of individuals in Brazil, regardless of where the data processor is located. It is closely modelled after the European Union's General Data Protection Regulation (GDPR) and like GDPR, the LGPD has far reaching consequences for data processing activities in and outside of Brazil.” (https://www.upguard.com/blog/lgpd)
We can thus see that the activation of the GDPR has caused a wave of data protection awareness worldwide, and we hope to keep seeing ripple effects of this in the future.
Be part of the future and share your thoughts!
Having reflected on the workings of the GDPR for European citizens on a personal level, it is important to realize Europe has made good progress in pushing these regulations. So far it seems that they have had a big impact outside of the continent as well. But it is also still the beginning of a process, and we have a long way to go to get to an entirely secure internet. When it comes to data gathering and processing it is especially the ways different parts of information about you are connected together, that can have serious implications for your individual privacy. Having your personal information sold to third parties could expose you in ways you didn’t want to be. That is why we encourage you to debate the developments regarding your data. What would you like to see in the future? Are cookie banners effective enough? Should theme privacy become a standard part of our curricula instead of an elective? We’d love for you to share your thoughts in the comments.
Robin Jane Metzelaar, 17/9/20.
This post might have made you curious about what you could do to protect your data. Luckily for us there are many initiatives that are trying to make it easier to take back control over it! We are sharing some of them here, and we encourage you to have a look in to some of the sources at the bottom of this post as well. What do you think? Are there any tools or initiatives we forgot to mention?
MyDataDoneRight.eu — Is a tool that will help you get an overview of the information that is out there about you. It is an initiative by a coalition of European digital rights organizations and volunteers, which allows to request your personal data from platforms you have used, manage it and request for it to be deleted in just a few simple steps.
Ghostery & Privacy Badger — A way to prevent trackers from gathering personal data to begin with could be tools that can detect and block trackers. Ghostery and Privacy Badger are two of those. Ghostery is a free and open-source privacy and security-related browser extension and mobile browser application. It is owned by a German company (Cliqz International) that can see which HTTP cookies are being collected and by whom. Similarly, Privacy Badger is an open source extension blocking advertisements and tracking cookies that do not respect the ‘Do Not Track’-setting in a user's web browser. It is owned by the Electronic Frontier Foundation which is an initiative from the U.S. (naturally based in California) that has played a very important in securing civil rights in cyberspace and been working with it on a not for profit basis for nearly thirty years.
DarkPatterns.org — If you are using an app or a website on which you think you are being led to do something, or it is very hard to change your settings (or even delete your account). Then darkpatterns.org is a platform where you can share information about these companies. The goals of the website are to: “spread awareness and to shame companies that use them.”
Sources and further reading
“All You Need to Know About Internet Cookies and How to Manage Them.” InternetCookies.Org, https://www.internetcookies.org/.
Burgess, Matt. “What Is GDPR? The Summary Guide to GDPR Compliance in the UK.” Wired UK, Mar. 2020. www.wired.co.uk, https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018.
“California Consumer Privacy Act (CCPA).” State of California - Department of Justice - Office of the Attorney General, 15 Oct. 2018, https://oag.ca.gov/privacy/ccpa.
Cliqz. https://www.cliqz.com/.
“Cookie Consent Outside of the EU.” TermsFeed, https://www.termsfeed.com/blog/cookie-consent-outside-eu/.
“Cookies, the GDPR, and the EPrivacy Directive.” GDPR.Eu, 9 May 2019, https://gdpr.eu/cookies/.
Dark Patterns. https://darkpatterns.org/.
“Do Consumers Know Their GDPR Data Privacy Rights?” GDPR.Eu, 20 June 2019, https://gdpr.eu/consumers-gdpr-data-privacy-rights/.
Eckersley, Peter. “How Online Tracking Companies Know Most of What You Do Online (and What Social Networks Are Doing to Help Them).” Electronic Frontier Foundation, 21 Sept. 2009, https://www.eff.org/deeplinks/2009/09/online-trackers-and-social-networks.
“Electronic Frontier Foundation.” Electronic Frontier Foundation, https://www.eff.org/.
“Fines and Penalties.” GDPR EU, 29 July 2020, https://www.gdpreu.org/compliance/fines-and-penalties/.
Ghostery Makes the Web Cleaner, Faster and Safer! https://www.ghostery.com/.
How Ads Follow You around the Internet - YouTube. https://www.youtube.com/watch?v=HFyaW50GFOs&feature=youtu.be.
How Does Google Earn Money? | As Simple as That. | Hacker Noon. https://hackernoon.com/how-does-google-earn-money-as-simple-as-that-60c5b399100e.
How the ‘Brussels Effect’ Helps the EU Rule the World: QuickTake - Bloomberg. https://www.bloomberg.com/news/articles/2020-03-21/how-the-brussels-effect-helps-the-eu-rule-the-world-quicktake.
“Internet Safety: Understanding Browser Tracking.” GCFGlobal.Org, https://edu.gcfglobal.org/en/internetsafety/understanding-browser-tracking/1/.
“Millions of Small Businesses Aren’t GDPR Compliant, Our Survey Finds.” GDPR.Eu, 20 May 2019, https://gdpr.eu/2019-small-business-survey/.
My Data Done Right. https://www.mydatadoneright.eu/.
Network, European Data Journalism. “Dark Patterns: Born to Mislead.” European Data Journalism Network, https://www.europeandatajournalism.eu/News/Data-news/Dark-patterns-born-to-mislead.
Nigeria Leads Africa in Data Protection, despite Low Awareness — NITDA DG. https://www.vanguardngr.com/2020/08/nigeria-leads-africa-in-data-protection-despite-low-awareness-nitda-dg/.
Privacy Badger. https://privacybadger.org/.
Rossow, Andrew. “The Birth Of GDPR: What Is It And What You Need To Know.” Forbes, https://www.forbes.com/sites/andrewrossow/2018/05/25/the-birth-of-gdpr-what-is-it-and-what-you-need-to-know/.
“What Is GDPR, the EU’s New Data Protection Law?” GDPR.Eu, 7 Nov. 2018, https://gdpr.eu/what-is-gdpr/.
“What Is the LGPD? Brazil’s Version of the GDPR.” GDPR.Eu, 31 July 2019, https://gdpr.eu/gdpr-vs-lgpd/.
When It Comes to Markets, Europe Is No Fading Power | Foreign Affairs. https://www.foreignaffairs.com/articles/europe/2020-02-03/when-it-comes-markets-europe-no-fading-power.
