How Far Can GDPR Go to Protect You?
Data isn't harmless. Data isn't abstract when it's about people. It's not data that's being exploited, it's people that are being exploited. It is not data and networks that are being influenced and manipulated, it is you.
a former CIA employee who revealed numerous global surveillance programs, prompting a cultural discussion about individual privacy.
In May 2018, the European Union (EU) enacted the General Data Protection Regulation or GDPR as it is more commonly known — the new personal data protection legislation that promised to change the future of data privacy once and for all.
With the second GDPR anniversary approaching, it’s an excellent time to revisit the claims and promises from the launch of this EU data protection legislation.
Let’s take a closer look at the GDPR guidelines and their impact on our online privacy.
GDPR in short
The stated goal of developing and enacting GDPR was to fight spam and reduce the amount of personally identifiable information available to websites. EU citizens were finally given the right to demand the deletion of their personal data and ensure strict control over the way businesses use the customer data they could access. Yey!
GDPR was declared the next step in harmonizing and aligning data protection regulations across Europe. And every online business or organization was super serious about complying with it. Otherwize, they’d have to pay a huge fine of 20 million Euros or 4% of their annual worldwide turnover, whichever was bigger.
If you’re into this sort of reading, the full GDPR text is available from the official website. However, let us translate it into more human language for you:
- If you want it then you should put a check in it
EU-based internet users have to give explicit and frequent consent to allow the collection of their data on the websites they visit. Previously, this consent was implied, but now, you have to click a large “I AGREE” button whenever you open the website of any EU-located business or organization.
- Remember to forget you
Customers received the “right to be forgotten”. This means businesses must delete all data related to a customer on demand and/or pay for its secure return to the customer in any format.
- I like the way you process
GDPR stipulates several requirements for data processing: processing it according to the law and for a defined purpose, minimizing the volume of data held, keeping the stored data relevant and up-to-date, enabling data portability, minimizing the storage period, ensuring the security of the data storage and ensuring accountability of operations.
- Don't go losing my data
Any data breaches that might have exposed personal customer information need to be immediately reported.
- (Help!) I need somebody
Every business dealing with the personal data of European customers must hire a data protection officer — a data custodian GDPR enforcer responsible for monitoring data collection, storage, access, and transition during business operations to ensure compliance with GDPR regulations.
Unfortunately, due to such broad and vague definitions (and believe us, we tried to make this sound as simple as possible), the GDPR personal data processing workflows are far from what the legislators intended. And here’s why.
4 gaping GDPR loopholes
Spoiler alert: just like everything else in the world, GDPR is imperfect.
1. GDPR does not apply when you pay through a non-EU website
GDPR applies to “data controllers outside the EU” but cannot be enforced when they are offering goods and services without the intent of gaining profit.
This way, companies outside the EU can establish marketing portals located within the GDPR territorial scope and comply with GDPR requirements — but the actual payments (and the processing of personal data belonging to EU customers) will take place on other websites, governed by other laws.
2. Your data collector is not your data processor. So you cannot track the data chain
Data collected under GDPR can then leave GDPR protection when it is not related to offering goods and services.
For example, a US-based company can collect data from EU customers according to GDPR — with prior consent, of course. But once it sells this data to a US-based company that has no intent to offer goods or services, GDPR ends here.
And after a couple more transactions like this, a wave of spam will flood email addresses provided with the consent of clueless users. Invisible data chains are the reason you get spam emails.
Article 14 of GDPR stipulates the right of any customer to request confirmation from their data processor regarding how their data is used.
However, GDPR does not make the data processor perform the data storage under GDPR requirements. It doesn’t even enforce the data controller to disclose the title of the company handling data storage — only the category of the company involved.
As we explained earlier, a chain of several transactions makes all of its participants free from GDPR obligations. This way, EU customers can receive spam emails and no one will be held responsible.
3. Inferred data is still a thing under GDPR
Inferred data or “derived data'' is the personal data not directly submitted by the customer.
This way, for instance, data about your daily schedule stored by calorie tracking applications can be used to infer your dietary regime. This helps personalize the direct marketing of specific types of foods when you get hungry.
4. Legitimate interests of a business and the rights of a customer are hard to balance
Most online businesses (especially in the marketing and advertising industries) make a profit by aggregating customer data and deriving value from this.
Even with making customers explicitly express consent for data processing, GDPR sources of personal data usage can be overridden by the legitimate interest of businesses. If a business can prove how implementing GDPR would cause it to stop operating, it can use the claim of legitimate interests to abolish certain processes.
As you can see, these arguments against GDPR show that the law is far from perfect and has to be improved in many ways before it can really protect interactions between businesses and their customers.
Potential consequences of GDPR
One of the possible consequences of GDPR was described in the Facebook usage case: we provide the social network with our private information so it can provide more personalized results for us. Facebook monetizes this data by providing ads relevant to our location, hobbies, and occupation — and we agree to this exchange.
If we apply GDPR provisions in full, we will have to express consent before every action on Facebook and pay the social network for using it under a subscription or paywall model. The basic functions would be available for free (or in exchange for our basic personal data), but more advanced functions would be paid for. Sounds surreal, doesn’t it?
Would you like to pay Facebook every time you open the app to see what your friends are up to? Probably not. But is letting the social media giant handle and mishandle your personal data better? Questions like this are never easy, and it seems like everyone has a different answer.
* * *
We might not know what’s next for GDPR, but there’s something we can all do as a global community of internet users to exercise our rights and control GDPR applicability. We shouldn’t wait for legislators to improve the faulty law, because the only person in the world truly concerned about your online privacy is you.
So, it’s best to just stop and think twice before going online and take the necessary security measures yourself.
We’d like to stay in touch.
We’ve got something special to share! Enter your contact details below to be among the first to find out about the exciting changes we’ve got in the works as well as to receive special promotions.
Thanks for your subscription!
You’ll be the first to know about our updates. Please keep an eye on your mailbox.