Data privacy is one of the hottest topics of the 21st century. While much of the world struggles with this issue, citizens of the EU received legal reassurance with the implementation of the General Data Protection Regulation (GDPR) on May 25, 2018.
The new regulation dictates data handling procedures for companies such as Facebook or Google and increases individual control over Personally Identifiable Information (PII).
Cyberlaw scholar Anne Toomey McKenna of Penn State’s Institute for Cyberscience and Dickinson Law celebrates the GDPR as a way to codify the privacy rights of internet users. Science Node asked her what it might mean for people and companies in the US and around the world.
Is the GDPR a positive step? Is regulation the right way to handle privacy concerns?
Recent events in the US have demonstrated a lack of consumer awareness of and control over the massive amount of data points collected on each consumer, and how personally identifiable information and consumer preferences are marketed and sold among private entities. With news of the Facebook/Cambridge Analytica breach, US consumers were stunned to learn how much information could be gleaned about them, and in turn, used to manipulate them.
The EU’s GDPR protects individual consumer privacy, and it gives the consumer more power to access and understand what data a company has collected about them. In the US, our model is more business-oriented and consumers have to “pay to play”—but the payment isn’t money, it’s the consumer’s consent to largely unfettered data collection in order to use the service. No consent, no use. Period.
The GDPR approached this differently, requiring that consent be meaningfully and freely given. The regulation legislates that companies cannot force or compel consent as a pre-condition to use.
Due to the global nature of the internet, the GDPR mandates companies based in the US to come into GDPR compliance as well if they want to handle EU citizen data. The GDPR and the EU take a much stronger approach to the concepts of privacy by design and privacy by default.
How does the US differ in terms of privacy, and what do you mean by privacy by design and privacy by default?
In the US, we have a history of data privacy legislation that’s industry and data-type specific. For instance, we have strong legislative protections for medical data through the Health Insurance Portability and Accountability Act (HIPAA) and state law counterparts. But typically, HIPAA only applies to medical care providers and their business associates.
We also have strong protections for financial data via the Gramm–Leach–Bliley Act (GLBA), but GLBA’s protections are only afforded to personal financial data, and it only regulates specifically-defined financial institutions.
The US’s industry-specific legislative scheme leaves consumers with a huge gap in protection over their personally identifiable information or data, what we call “PII.” In contrast, the GDPR broadly defines the PII protected by the law, protecting consumer data across the board. US states have jumped in to fill the legislative void by passing laws to protect their citizens’ PII, but that has resulted in a confusing patchwork of laws for large and small businesses.
Privacy by design and default considers whether an app or software program is engineered, developed, and designed to collect as much data as possible about the user—even though the personal data collected is not necessary for or has little to do with the function of the underlying service, program, or app.
Such unnecessarily collected personal data reaps financial rewards for the app owner via sale to third parties. Privacy by design reflects an app or software program that is developed and designed to protect individual data by gathering only the data necessary to permit the successful function of the app or program.
Privacy by default protects individuals’ privacy by default programming privacy settings at the highest levels. In the US, many apps and programs are set, by default, to the lowest privacy settings possible when you download the app. Default settings under the GDPR must be set at the highest level of privacy protection: the lowest level of sharing data without limiting the function of the app.
In the US, apps and programs are also designed by default to automatically opt-in consumers to data collection processes without effective consumer notice or choice. Opting-out of data collection is often a difficult, confusing process, and designed to be difficult for consumers to achieve.
Will the GDPR give US consumers a push to try for legislation like this?
There is an intersection of events happening right now that may shift the balance in the US. GDPR is becoming a household word, and everyone has now heard about Cambridge Analytica. Folks are starting to realize, “Wow, my personal data can be taken, used without my knowledge, bought and sold, and used to manipulate me.” So yes, I do think the GDPR will help to push legislation.
In fact, clear and uniform legislation on PII data at a federal level may actually be more efficient for small and large businesses. Right now, American companies are in this weird, byzantine, legal compliance landscape that’s a hodgepodge of different state and federal laws that apply to some types of PII data but not others, and it’s very confusing.
The GDPR provides clarity for both companies and consumers. This is not a Republican vs. Democrat issue, or even business vs. individual. While GDPR compliance itself is forcing businesses on the front end to make technological changes that seem initially cost prohibitive, they really aren’t in the long run. These kinds of policies make our businesses more resilient and our consumers better educated. To be secure in the cyber business arena, we need clear laws and educated citizens.