GDPR European Union General Data Protection Regulation 2016679
- Slides: 26
GDPR European Union General Data Protection Regulation 2016/679 (GDPR) By Eloise Ryan, David Barnard, Rhona Malcolm, Alex Musset
What is the EU? ● Economic and social union comprising 28 member states (soon to be 27…) which share common policies in various defined areas. ● Supranational; certain legislative measures (e. g. Regulations) bind national legislatures automatically. ● GDPR = General Data Protection Regulation. Came into force on 25 May 2018. Replaced the Data Protection Directive.
Context to GDPR
Google v Costeja González (2014) 1 Google is a ‘data controller’ 2 Obligations Data Controller vs Data Processor Required to remove data that is: ● Art 7 Charter ● Art 8 Charter "inadequate, irrelevant, or no longer relevant" 3 Outcome EU requests can be made directly via Google - Rejection = apply to ECJ. May be ordered to remove.
Requesting Removal But the GDPR takes Data Protection Further….
What is the GDPR?
Rights Protected ● EU General Data Protection Regulation (EU) 2016/679) ● Brought into effect on the 25 th of May 2018 ● Protects the right of a person to protection of personal data concerning them. This right is codified in the TFEU and the EU Charter of Fundamental Rights ● This right has two parts: 1. RIght to be forgotten 2. Right to access information collected about you ● UK survey showed 90% of consumers are interested in learning what data has been stored about them
What information? A subject access request (SAR) under GDPR requires certain information be disclosed: 1. 2. 3. 4. 5. The purpose of processing The categories of data being processed The recipients, including information if these are in third countries How long the data is expected to be stored Whether the data has been used in automatic decison-making
Current results: ● You. Tube, Google, Netflix, Amazon, Apple, Spotify all accused of violating GDPR
How GDPR nearly ruined Christmas! https: //www. techdirt. com/articles/20190117/10481441412/how-gdpr-is-still-ruining-christmas. shtml
GDPR Request Revealed: Netflix recorded all Bandersnatch responses https: //www. theverge. com/2019/2/13/18223071/netflix-bandersnatch-gdpr-request-choice-data
How GDPR became bigger than Beyonce https: //www. wired. co. uk/article/happy-gdpr-day-gdpr-hall-of-shame
How can you use the GDPR?
How to utilise the GDPR - The right to access (Art. 15) Under the GDPR data subjects have the right to obtain confirmation from the data controller as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.
SAR - Facebook The subject access request (SAR) can be done all electronically through your Facebook account. If you don’t have a FB account and think they hold your personal information you can send a request via the Facebook website or via email datarequests@support. facebook. com
SAR- Google Similar to FB, can send subject access request electronically through your Google account to receive a downloadable file of all your personal information that is stored.
The GDPR and Brexit ● GDPR is an EU Regulation ● The UK is leaving the EU. Will the UK still want to follow the set of standards the EU has set out in the GDPR? Yes, because of GDPR rules of sharing personal data to third countries ● UK position ○ ○ The Withdrawal Act retains the GDPR in UK law UK recognising EEA and EU as adequate data protection UK recognising adequacy decisions of third countries e. g. Canada Standard contractual clauses ● EU position: ○ ○ UK adequacy decision Political commitment to cooperate with ICO
Has the GDPR had a significant impact?
Impact of the GDPR (1) generally ● Direct impact: businesses must comply with obligations imposed by the GDPR. ○ What about non-EU websites? ● The GDPR, a ‘disaster for free speech’ ? ● Has the GDPR actually made data more vulnerable? E. g. Amazon sent 1, 700 voice recordings to the wrong user. ○ ○ Consider, for example, if someone hacks your account. They can request all of your data - the GDPR mandates that it must be easily downloadable. With data hacks, this just seems problematic - what about location-sensitive services? Or Google tracking all your moves every day (sorry Android users…).
Impact of the GDPR (2) complaints ● 95, 000 complaints (Reuters). ● Max Schrems, a privacy activist, created the group “noyb” - named after the phrase ‘my privacy is None Of Your Business’. ● On 25 May 2018 (first day of GDPR enforcement), noyb filed a complaint against Google LLC. ● On 18 Jan 2019, noyb filed eight further complaints (see image). ● Does this show an impossibility to comply with the GDPR? ● Are these fines completely insane (despite being estimates)? ● Does this water down the real issues?
Impact of the GDPR (3) enforcement ● Many enforcement actions have been taken by DPAs. Examples include. . . ● September 2018 (the first GDPR fine): Austrian Data Protection Authority fined the owner of a betting shop. ● 21 January 2019: CNIL (French privacy regulator) fined Google LLC € 50 m. This was in part based on the complaint lodged in May 2018 by noyb. ○ ○ Violations: (1) obligations as to transparency (data-collection policies were not easily accessible enough); (2) obligation to have obtained valid consent to personalise ads. First major fine imposed - making a point? Ridiculously large? Necessary because a lower fine would not incentivise Google to change its policies? ● Other enforcement e. g. UK Information Commissioner’s Office & Aggregate. IQ. ● … What about the future?
A varied impact overall? ● Generally - conflict with freedom of expression & access to information. ● Complaints - those so far perhaps suggest it is impossible to comply with the GDPR. ● Enforcement - imposed fines have been demonstrably huge, future fines may only increase.
Is the GDPR any good? Lets take a look. . .
Strengths of the GDPR 1 Right to Privacy Gives individuals power back over their data. 2 Impact 5% = Criminals, politicians, public figures. 95% = Other people Right to an imperfect 3 past Impact on millenials Refusal to give control to big corporations
Weaknesses of the GDPR 1 Freedom of expression Art 11 Charter 2 Interferes with the historic record Is our personal data being available on the internet just the price we pay for being in the modern world? 3 Is censorship ever a good thing? Sidis v. FR Publishing Corp (113 F. 2 d 806 (1940)),
So is it a force for good? The GDPR embodies the complex debate between the individual’s right to privacy vs the public’s right to know. What do YOU think?