Technology |Analysis

GDPR: European Union forces pace on protection of individual data on the internet

  1. Cambridge Analytica scandal exposes holes in data protection
  2. 'Data protection must be embedded in daily life'
  3. Maximum fine up to 4 percent of annual turnover
  4. More than 2.4m people have sought the 'right to be forgotten' by Google

Talk (9)

BA

Bryce Acer

"Please update the top section bullet ..."
Linh Nguyen

Linh Nguyen

"Ah, gotcha. Well those points are cer..."
SV

Sebastien JF Vincent

"Well I would for sure "contribute" by..."
Linh Nguyen

Linh Nguyen

"Ah I see. Yes we could certainly expa..."

Europe is about to stake a claim to protect the privacy of individual data on the internet that far outstrips the norm in the United States. What’s more, against a background of fresh uproar over misuse of data centered on Facebook, it sets the stage for a confrontation with Washington and the giant American corporations that dominate the internet.

The General Data Protection Regulation (GDPR) – to be implemented on May 25 – is a far-reaching set of rules focused on the shielding of individual privacy and exchange of data across borders. All companies operating across the European Union, and doing business with its 500 million people, must abide by it.

The scandal over alleged misuse of Facebook data from 50 million people by London-based political data firm Cambridge Analytica comes just ahead of the introduction of the GDPR, and can be expected to provide ammunition to European Union officials who argue that the big U.S. internet companies cannot be trusted to regulate themselves (Financial Times, may be paywalled).

While there’s activism in the United States around the exchange of data and level of personal consent, official concern over data privacy is far weaker than in Europe. The Privacy Shield program administered by the U.S. Department of Commerce, which applies to business data between the EU and United States, isn’t a comprehensive solution.

Some see protectionist tendencies in Europe against the dominance of American technology companies; but the roots of European concerns over individual privacy go deeper, and include firsthand experience of totalitarian governments (Bertelsmann Foundation).

While the big U.S. internet companies – known in the European Commission as GAFA (Google, Apple, Facebook, Amazon) – move fast and with a high degree of freedom, regulation is catching up.

GDPR is Europe’s response to the exponential growth of data, and aims to protect people – and their privacy – as a priority. 

“Data protection must be embedded in daily life. Data protection [is] serious and it should not be delegated to IT or lawyers, or just in case,” European Data Protection Supervisor Giovanni Buttarelli told WikiTribune

Among key elements in the new legislation are:

  • The so-called “extra-territorial applicability” of GDPR means data must be held in or accessible from the European Union.
  • “Privacy-by-design” concept must be built in to services from the start, with explicit consent and greater clarity on use of data.
  • Greater fines for non-compliance: those in breach of GDPR can be fined up to 4 percent of annual global turnover or €20 million (whichever is greater).

(See WikiTribune’s community explainer on the GDPR).

Changing attitudes across Atlantic

The United States has always differed on privacy with the EU, as shown by both sides’ legal frameworks. Though the “right to privacy” is upheld in both the Universal Declaration of Human Rights and the European Convention on Human Rights (Article 8), it’s not explicitly mentioned in the U.S. Constitution.

However, according to Albert Gidari, consulting director of privacy at the Stanford Institute of Internet and Society, more Americans are growing concerned about their privacy.

“In the wake of thousands of breaches and security lapses, and some pretty egregious misuses of data, the consensus, largely, is that consumers need more protection when it comes to data. And the GDPR is going to effectuate that, to the surprise of a lot of people in the U.S.,” he told WikiTribune.

In 2017 alone, massive data breaches occurred from major companies including Yahoo, Deloitte, Equifax, and Verizon (Wired).

A recent study from the Pew Research Center found that nearly two-thirds of respondents, 64 percent, reported data theft. The study also said half of all Americans believe their information is less secure now than five years ago. Many don’t trust institutions to protect their data, whether it’s the government or private sector.

“GDPR is a game changer in the U.S. for many companies,” said Gidari. “The big companies, at least, have made huge strides in achieving compliance with the requirements, contrary to some perception that there’s a lot of resistance to it.

“Companies have really accepted it and, as a result, ironically, it isn’t [just] the European community and residents who will see the big benefit from it, it’s actually U.S. consumers.”

A 21st-century approach

GDPR represents an evolution in Europe’s history of data protection. It replaces the Data Protection Directive (DPD), implemented in 1995 when the internet was still in its infancy. Other countries, including Sweden and the UK, later followed suit with their own sets of comprehensive data rules. One of the new regulation’s aims is to harmonize differing approaches.

The change from the DPD to GDPR is an acknowledgement of how much the internet has changed – from “open” to a so-called state of “surveillance capitalism” – and that the old regulation system is no longer fit for the digital age. About 40 percent of the world – 3.9 billion people (Internet Live Stats) – now has access to the internet, opening up a growing market and creating a vast trove of information. 

The change also reflects increasing concern over unauthorized monitoring or use of data, which came into focus when whistleblower Edward Snowden exposed the extent of U.S. National Security Agency spying in 2013.

In an interview with tech website Recode, Europe’s Competition Commissioner Margrethe Vestager explained why data mining by commercial interests is inevitable, so some protection is needed.

“I am an economist, so I know that there is no such thing as a free lunch,” she said. “You pay with one currency or another – either cents, or you pay with your data, or you pay with the advertisements that you accept. And I think people are becoming more and more aware of the fact that their personal data do have a value.

“What we see in Europe is that a huge proportion of citizens find that they are not in control.”

GDPR strengthens the rights of individuals by giving them more control over how businesses use their personal data. These include the right to be informed, to access and to rectify personal data records if they are inaccurate or incomplete. The right to erasure, also known as the “right to be forgotten,” means consumers can request companies delete their data – this could be done simply because someone is no longer a customer of a company. 

Google revealed in its latest transparency report that more than 2.4 million people have filed “right to be forgotten” requests since the EU passed the law in 2014. The vast majority of requests (89 percent) came from individuals, and politicians and celebrities were represented disproportionately.

Google’s infographic on “right to be forgotten.” Credit: Google. 

New era, new rules

Since internet use became common about 25 years ago, the amount of data exchanged has escalated exponentially.

According to a 2017 report by IBM, 90 percent of the world’s data were generated in the previous two years alone. Every day, users create 2.5 EB (exabytes) of data, unintentionally allowing interested parties to collect information about political or religious views, or locations and movements. Much of this data drive innovative industries, such as artificial intelligence and the burgeoning sector of digitally controlled devices, the Internet-of-Things (IoT).

Peter Trainor, co-founder of artificial intelligence company UsAi, said that though he believes GDPR is good, it represents a “nightmare scenario” for his industry.

“AI needs a massive amount of data … [but now] people must be provided with an explanation of a decision made about them – that’s the killer blow for AI and machine-learning,” he said. “The machines are often making decisions out of our direct control … inferring a decision that [we] would otherwise expect a person to make.”

Even so, Trainor added that overall, GDPR is positive because it informs people on the importance of their data.

“It at least gives the public an overview of the fact that they have data, and it’s valuable, and brands own or use it,” he said. “The majority of people don’t understand data. [GDPR] lifts the lid off it and ensures all brands and providers of AI are transparent.”

‘GAFA’ set an example

The four most powerful American tech giants – Google, Apple, Facebook, Amazon, or GAFA as they’re known in European Commission parlance – rely on large amounts of data to conduct their businesses. Google and Facebook combined are set to bring in 84 percent of global advertising revenue, excluding China, according to a 2017 forecast from GroupM, a media agency owned by advertising and communications conglomerate WPP. 

But the relationship between GAFA companies and the EU has always been tense. For example, in 2017, the EU slapped a €2.14bn antitrust fine on Google for what it said was manipulation of its search engine results in favor of its shopping services. Google is still appealing the fine.

Nonetheless, GAFA companies have appeared ready to comply with GDPR, deploying hundreds of Data Protection Officers (DPOs) to prepare for the May deadline. 

Facebook announced in January it will roll out a global privacy settings hub that will “make it much easier for people to manage their data,” said its COO Sheryl Sandberg. The New York Times reported that Facebook also decided not to roll out some of its new products, since they would violate privacy laws.

However, in a recent Reuters exclusive, Facebook is trying to reduce its legal liabilities under GDPR. This means that non-EU citizens won’t be protected even if their data is processed in the EU.

The New York Times also reported Google has started letting people all over the world choose which data they want to share via its various products, including Gmail and Google Docs. Amazon has also been improving data encryption on its cloud storage.

These extra steps are taken because the penalties are much greater under GDPR. The maximum fine for the most serious offenses is 4 percent of an organization’s global turnover, or 20 million ($24.6m), whichever is greater.

Data is power

Data might be the new oil, but who owns it? This report by The Economist maintains that it’s internet giants such as Google or Facebook. But GDPR dictates, in the case of personal data, that it’s private citizens, effectively changing the public’s power relationship with companies.

Recent revelations in data breaches mean that people all over the world are realizing how their personal information could be jeopardized and exploited. Uber is a notorious example of a company accused of mishandling the data of its customers, and now has to go through 20 years of auditing (TechCrunch). A 2017 ICO survey showed most UK adults don’t trust businesses with their data.

“If GDPR represents anything, it’s that you have to access and plan for and foresee the negative consequences of your product or service – not just the benefits,” said Stanford’s Gidari.

“We’ve lived in a world for 20 years where we only focused on the good stuff and ignored the bad stuff that was or could happen,” he said.

“I think the heart of GDPR in the end is that companies better think about the positives and the negatives together and mitigate the negative to the extent possible or at least give users some choice in it.”

A future web

In his book, The Attention Merchants, legal scholar Tim Wu – who coined the phrase “net neutrality” – explored how companies turned the web into an attention-machine to monetize the public’s data, offering “free services” while earning billions along the way.

Wu’s vision (The Guardian) of the internet is one that’s unlikely to break away from the historic cycle of communication technologies, which started out as chaotic and open, to eventually being controlled by industries.

But will GDPR change who controls the internet?

“This one’s a game changer for everyone” – UK Information Commissioner

Experts agree GDPR will shift the balance of power between citizens and companies – certainly within the European Union. At the least, it will reduce corporate control of the web by creating friction over how data is harvested.

“If you eliminate the ability to profit [from advertisement], then you eliminate the ability for ‘free’ services [e.g. Google] to survive, and really see a dramatically different internet,” said Gidari.

Perhaps most importantly, GDPR is about changing “how we think about data protection,” said Elizabeth Denham, Information Commissioner of the ICO, in a 2017 speech.

“[GDPR] brings a more 21st-century approach to the processing of personal data. And it puts an onus on businesses to change their entire ethos to data protection,” she said. “Make no mistake, this one’s a game changer for everyone.”


See WikiTribune related articles:


Started by

United Kingdom
Linh is a staff journalist at WikiTribune with a background in the humanities. She covers the Middle East, Asia, conflict and technology. Though based in London, she has freelanced across Asia, the UK and U.S.

History for stories "GDPR: European Union forces pace on protection of individual data on the internet"

Select two items to compare revisions

19 April 2018

14:02:28, 19 Apr 2018 . .‎ Linh Nguyen (Updated → added reuters exclusive)

29 March 2018

08:10:27, 29 Mar 2018 . .‎ Linh Nguyen (Updated → added GDPR in headline for SEO)

22 March 2018

06:22:18, 22 Mar 2018 . .‎ Charles Anderson (Updated → untick hero)
06:20:47, 22 Mar 2018 . .‎ Charles Anderson (Updated → update)

21 March 2018

20:37:23, 21 Mar 2018 . .‎ Huw Diprose (Updated → Wrong acronym. DPAs tend to refer to agreements or acts.)
17:26:35, 21 Mar 2018 . .‎ Linh Nguyen (Updated → fixing highlights)
17:25:33, 21 Mar 2018 . .‎ Linh Nguyen (Updated → updated reading list)
17:23:31, 21 Mar 2018 . .‎ Chuck Thompson (Updated → copyedit)
14:28:24, 21 Mar 2018 . .‎ Linh Nguyen (Updated → added line at the bottom)
14:24:59, 21 Mar 2018 . .‎ Linh Nguyen (Updated → fixed format)
14:23:07, 21 Mar 2018 . .‎ Linh Nguyen (Updated → added reading list)
14:03:29, 21 Mar 2018 . .‎ Linh Nguyen (Updated → accepted edits)
13:57:15, 21 Mar 2018 . .‎ Robbie Morrison (Updated → added "in the case of personal data" because qualification is needed)
13:54:08, 21 Mar 2018 . .‎ Robbie Morrison (Updated → minor copy-edit / "million" should be downcased)
13:53:02, 21 Mar 2018 . .‎ Robbie Morrison (Updated → changed to exabytes as "quintillion" is ambiguous and rare)
12:29:41, 21 Mar 2018 . .‎ Angela Long (Updated → also tidying summary for better appearance)
12:28:50, 21 Mar 2018 . .‎ Angela Long (Updated → tightening head to fit on two lines)
12:27:49, 21 Mar 2018 . .‎ Ed Upright (Updated → lower case internet in headline)
11:53:32, 21 Mar 2018 . .‎ Linh Nguyen (Updated → tweak)
11:50:00, 21 Mar 2018 . .‎ Angela Long (Updated → business)
11:49:28, 21 Mar 2018 . .‎ Linh Nguyen (Updated → update)
11:47:47, 21 Mar 2018 . .‎ Angela Long (Updated → update)
11:47:05, 21 Mar 2018 . .‎ Angela Long (Updated → Privacy Shield mention)
11:43:05, 21 Mar 2018 . .‎ Linh Nguyen (Updated → typo fix)
11:39:24, 21 Mar 2018 . .‎ Linh Nguyen (Updated → fixed typo)
11:34:17, 21 Mar 2018 . .‎ Linh Nguyen (Updated → tightened copy)
11:18:14, 21 Mar 2018 . .‎ Peter Bale (Updated → Publishing)
10:35:42, 21 Mar 2018 . .‎ Linh Nguyen (Updated → tightened copy)
10:09:18, 21 Mar 2018 . .‎ Linh Nguyen (Updated → save)
09:59:04, 21 Mar 2018 . .‎ Linh Nguyen (Updated → changed thumbnail)

20 March 2018

17:39:02, 20 Mar 2018 . .‎ Linh Nguyen (Updated → more tweaking, for Peter)
17:35:33, 20 Mar 2018 . .‎ Linh Nguyen (Updated → experimenting with hed, passing to Peter)
17:29:10, 20 Mar 2018 . .‎ Linh Nguyen (Updated → tweak. passing onto Peter)
16:43:21, 20 Mar 2018 . .‎ Peter Bale (Updated → Handing over to Linh Peter)
15:53:07, 20 Mar 2018 . .‎ Peter Bale (Updated → Putting to pending to continue work)
11:15:46, 20 Mar 2018 . .‎ Angela Long (Updated → fixing highlights)
11:13:32, 20 Mar 2018 . .‎ Angela Long (Updated → Denham not Dunham)

19 March 2018

15:02:19, 19 Mar 2018 . .‎ Ed Upright (Updated → removed hero)
15:01:35, 19 Mar 2018 . .‎ Ed Upright (Updated → headline)
14:53:52, 19 Mar 2018 . .‎ Angela Long (Updated → changing Facebook reference)
12:50:24, 19 Mar 2018 . .‎ Ed Upright (Updated → minor tweaks)
11:23:34, 19 Mar 2018 . .‎ Angela Long (Updated → trim/would prefer better pic. AL)
11:20:15, 19 Mar 2018 . .‎ Angela Long (Updated → removing space)
11:19:34, 19 Mar 2018 . .‎ Angela Long (Updated → adding pic)
11:10:32, 19 Mar 2018 . .‎ Angela Long (Updated → breakout quote)
10:50:20, 19 Mar 2018 . .‎ Angela Long (Updated → Cambridge An refs in)
09:31:38, 19 Mar 2018 . .‎ Angela Long (Updated → tweaked intro)
09:30:42, 19 Mar 2018 . .‎ Angela Long (Updated → head and pic last details AL)
09:27:28, 19 Mar 2018 . .‎ Angela Long (Updated → needs picture AL)

Talk for Story "GDPR: European Union forces pace on protection of individual data on the internet"

Talk about this Story

  1. Other

    Please update the top section bullet point. People have a big misconception on the fines… they are even more sever than “4%”. As the law reads it is:

    Lower tier: Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher

    Higher tier: Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher

    The key provision being “whichever is higher” !!!! I feel that most are overlooking this.

  2. Other

    great piece which tackles several social implications of GDPR and in particular its significance for denizens based in the US of A. It could be nice to have an additional and more technical paper about what GDPR effectively does.
    Cheers, and keep up the good work ! Sebastien JF

    1. Rewrite

      Hello Sebastien, please look at this explainer, written by a community member, on GDPR itself which might elucidate what GDPR effectively does.

      https://www.wikitribune.com/story/2018/03/21/technology/the-general-data-protection-regulation-explained/50774/

      Thank you for your kind words.

      1. Rewrite

        Hi Linh, I had read it, but this companion piece is focusing on legal aspects mostly highlighting differences with the US, not really what it means for organisations and people. For example, there is a discussion beyond the internet, for example on health data, which in Europe were up to GDPR in theory mostly forbidden to sell by hospitals (with big variations per country). So a potentially interesting aspect is what will happen now ? And for banking information ? And data about mobility from phone companies ? And the companies, what do they have to change ? I know that some parties like research hospitals have had updates to or setup of their data management agreements with “customers”, many did not formally have one in place for all before. And so on, I see many practical aspects popping up when scratching with that question in mind.
        Anyway, the idea to accompany your social piece by a more technical one was neither new nor lost, good! Cheers.

        1. Rewrite

          Ah I see. Yes we could certainly expand on how GDPR will affect different industries. I was fascinated by how it affected AI, for example. One of the biggest concerns is implementation and practicality – if I suggest doing an explainer on that, would you like to contribute to it? Thanks Sebastien.

          1. Rewrite

            Well I would for sure “contribute” by doing searches, drafting points, reading drafts, commenting, and so on, all taking into account that beyond my redaction style’s limitations, my current information level on this topic is not very high (hence my original interest 😉

            1. Rewrite

              Ah, gotcha. Well those points are certainly helpful. I’ll connect with you re drafting points if I ever get the piece going. 😉

  3. Other

    Just be aware that it is a little inaccurate to say that individuals will own their personal data under the GDPR. The GDPR is based on human rights and not property rights considerations. In contrast, copyright, which protects creative works by humans, is, along with patents and trademarks, one of the big three intellectual property rights. HTH. Robbie

    1. Rewrite

      Thanks Robbie, I’ve accepted your edits.

Subscribe to our newsletter and be the first to collaborate on our developing stories:

Support Us

Why this is important and why you should care about facts, journalism and democracy

WikiTribune Open menu Close Search Like Previous page Next page Back Next Open menu Close menu Play video RSS Feed Share on Facebook Share on Twitter Share on Reddit Follow us on Instagram Follow us on Youtube Connect with us on Linkedin Email us Message us on Facebook Messenger Save for Later