• Subscribe

Who owns your information?

Data privacy is one of the hottest topics of the 21st century. While much of the world struggles with this issue, citizens of the EU received legal reassurance with the implementation of the  General Data Protection Regulation (GDPR) on May 25, 2018.

The new regulation dictates data handling procedures for companies such as Facebook or Google and increases individual control over Personally Identifiable Information (PII).

Cyberlaw scholar Anne Toomey McKenna of Penn State’s Institute for Cyberscience and Dickinson Law celebrates the GDPR as a way to codify the privacy rights of internet users. Science Node asked her what it might mean for people and companies in the US and around the world.

Is the GDPR a positive step? Is regulation the right way to handle privacy concerns?

<strong>How informed is your consent?</strong> Accepting an app’s license agreement may mean giving away more private data than you realize. The EU’s new GDPR legislates that consent can’t be compelled as a pre-condition of use.  Courtesy Unsplash/Rawpixel.Recent events in the US have demonstrated a lack of consumer awareness of and control over the massive amount of data points collected on each consumer, and how personally identifiable information and consumer preferences are marketed and sold among private entities. With news of the Facebook/Cambridge Analytica breach, US consumers were stunned to learn how much information could be gleaned about them, and in turn, used to manipulate them.

The EU’s GDPR protects individual consumer privacy, and it gives the consumer more power to access and understand what data a company has collected about them. In the US, our model is more business-oriented and consumers have to “pay to play”—but the payment isn’t money, it’s the consumer’s consent to largely unfettered data collection in order to use the service. No consent, no use. Period.

Of course, Americans are clicking that “I accept” button for a service or app’s terms of use and privacy policy, otherwise they can’t use it. But how many people are actually reading these long, convoluted policies? Is it really consent given knowingly and willingly about what’s going to happen with one’s private, personal data, and not just the information you share knowingly like texts or pictures?

The GDPR approached this differently, requiring that consent be meaningfully and freely given. The regulation legislates that companies cannot force or compel consent as a pre-condition to use.

Due to the global nature of the internet, the GDPR mandates companies based in the US to come into GDPR compliance as well if they want to handle EU citizen data. The GDPR and the EU take a much stronger approach to the concepts of privacy by design and privacy by default.

How does the US differ in terms of privacy, and what do you mean by privacy by design and privacy by default?

In the US, we have a history of data privacy legislation that’s industry and data-type specific. For instance, we have strong legislative protections for medical data through the Health Insurance Portability and Accountability Act (HIPAA) and state law counterparts. But typically, HIPAA only applies to medical care providers and their business associates.

<strong>Personal medical data</strong> is protected in the US under HIPAA, but many other forms of private user information remain vulnerable to exploitation and commercialization. Broader regulation of data collection could change that, says McKenna. Courtesy Unsplash/Rawpixel.We also have strong protections for financial data via the Gramm–Leach–Bliley Act (GLBA), but GLBA’s protections are only afforded to personal financial data, and it only regulates specifically-defined financial institutions.

The US’s industry-specific legislative scheme leaves consumers with a huge gap in protection over their personally identifiable information or data, what we call “PII.” In contrast, the GDPR broadly defines the PII protected by the law, protecting consumer data across the board. US states have jumped in to fill the legislative void by passing laws to protect their citizens’ PII, but that has resulted in a confusing patchwork of laws for large and small businesses.

Privacy by design and default considers whether an app or software program is engineered, developed, and designed to collect as much data as possible about the user—even though the personal data collected is not necessary for or has little to do with the function of the underlying service, program, or app.

Such unnecessarily collected personal data reaps financial rewards for the app owner via sale to third parties. Privacy by design reflects an app or software program that is developed and designed to protect individual data by gathering only the data necessary to permit the successful function of the app or program.

Privacy by default protects individuals’ privacy by default programming privacy settings at the highest levels. In the US, many apps and programs are set, by default, to the lowest privacy settings possible when you download the app. Default settings under the GDPR must be set at the highest level of privacy protection: the lowest level of sharing data without limiting the function of the app.

In the US, apps and programs are also designed by default to automatically opt-in consumers to data collection processes without effective consumer notice or choice. Opting-out of data collection is often a difficult, confusing process, and designed to be difficult for consumers to achieve.

Will the GDPR give US consumers a push to try for legislation like this?

There is an intersection of events happening right now that may shift the balance in the US. GDPR is becoming a household word, and everyone has now heard about Cambridge Analytica. Folks are starting to realize, “Wow, my personal data can be taken, used without my knowledge, bought and sold, and used to manipulate me.” So yes, I do think the GDPR will help to push legislation.

<strong>Cyberscholar</strong> Anne Toomey McKenna believes that legislation clarifying rights and procedures around personal data will benefit both businesses and individuals. Courtesy Anne Toomey McKenna.In fact, clear and uniform legislation on PII data at a federal level may actually be more efficient for small and large businesses. Right now, American companies are in this weird, byzantine, legal compliance landscape that’s a hodgepodge of different state and federal laws that apply to some types of PII data but not others, and it’s very confusing.

The GDPR provides clarity for both companies and consumers. This is not a Republican vs. Democrat issue, or even business vs. individual. While GDPR compliance itself is forcing businesses on the front end to make technological changes that seem initially cost prohibitive, they really aren’t in the long run. These kinds of policies make our businesses more resilient and our consumers better educated. To be secure in the cyber business arena, we need clear laws and educated citizens. 

Join the conversation

Do you have story ideas or something to contribute? Let us know!

Copyright © 2018 Science Node ™  |  Privacy Notice  |  Sitemap

Disclaimer: While Science Node ™ does its best to provide complete and up-to-date information, it does not warrant that the information is error-free and disclaims all liability with respect to results from the use of the information.

Republish

We encourage you to republish this article online and in print, it’s free under our creative commons attribution license, but please follow some simple guidelines:
  1. You have to credit our authors.
  2. You have to credit ScienceNode.org — where possible include our logo with a link back to the original article.
  3. You can simply run the first few lines of the article and then add: “Read the full article on ScienceNode.org” containing a link back to the original article.
  4. The easiest way to get the article on your site is to embed the code below.