Data Privacy and GDPR

As the world’s most valuable resource and as coined by the economist article written in May 2017, data is the new oil. Internet and technology giant have transformed the business world and social interaction as we know it. Companies such as Amazon, Google, Facebook and Uber have more data on consumers around the world in the past 5 years than the entire history of data collection since its inception.

With that said, companies don’t always collect data in the most “ethical” way; as we have seen in class Google for example collected private data from wi-fi signals during its routine Google street view cars. Uber gets access to your phone details, your contacts, schedule amongst many other things on your phone and my personal favorite: “third-party site or service you were using before interacting with our services.” (Uber Privacy)

Many other big and small tech companies capture more information by the second and we as consumers have grown accustom to scrolling, scrolling, scrolling some more, clicking “accept”, entering personal information and start the consumption of services. Through cognitive tricks and with the help of psychologist, companies nudge consumers behavior to their benefit; it gets increasingly easier for making it more difficult for users to “opt-out” vs. “opting-in” if given the opportunity. Most of us never pause to think how can we continue using the services without sharing all this private information, we never pause to read what is being captured and tracked as we interact with the application or the platform and we never pause to question the impact on our lives if this data gets leaked or the company gets hacked due to weak security policies or lack of privacy regulations implemented by the organization.

Fortunately, the EU has drafted a new set of data protection regulations built around the protection of the user’s privacy and information. The new General Data Protection Regulation (GDPR) will be enforced on May 28 2018. Companies in violation of these regulations will be subject to a “penalty of up to 4% of their annual global turnover or €20 Million (whichever is greater)”. Most of you reading this blog are thinking great but this is in Europe and we are in the U.S., why should we care? How will it impact us?

The beauty about GDPR is “it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location”, hence all technology companies and internet giants will need to comply with these new regulations if they would like to continue operating in the EU.

It is worth noting that though data protection directives are not new to the EU, GDPR introduces new regulations that are necessary to address the issues brought forth by the evolution and creativity of today’s technology companies when it comes to data protection and privacy. The biggest 2 changes that were introduced are the global reach of GDPR and the financial penalty as previously mentioned above. Other changes include strengthened consent statements and improved data subject rights. (see more details here).

All said and done, though the GDPR is a step in the right direction focused around the protection of our data and privacy, there are still no clear and strict guidelines that are preventing companies from capturing and processing excessive data being captured that are irrelevant to the user’s experience (if there is such a concept as “excessive data”). For example, my Uber hailing and riding experience is not linked in any shape or form to Uber capturing my browsing history on “how to sue Uber” or me checking my wife’s ovulation cycle before using their application!

Hence, I believe regulations should also include clear consent “Opt-in” as an option (empty checkbox) to capture, monitor and process data not relevant to the user’s experience and services offered by the platform.

Leave a Reply