LONDON — Unless youve been living under a rock, youll likely be aware that Europe has a revamped set of privacy rules coming into force on May 25.
For many, the timing could not be better. The recent Facebook data scandal is still ringing in peoples ears, so the publics awareness — and interest — in how their data is collected and used by the likes of big internet players and governments has never been higher.
But with the countdown on to when the EUs General Data Protection Regulation, or GDPR, officially becomes law, theres already a lot of scaremongering and outright lies circulating about what these new standards are and, importantly, what they are not.
To help you navigate the often complex (and, some would say, boring) world of privacy, here are a few tricks of the trade that should make the next week — and the months to come — a little more bearable.
Keep calm and click on
If youre like most of us, youve been inundated with emails from everyone under the sun, asking for your consent to keep receiving updates from them.
“There are some incredible ideas about how GDPR will affect people. I dont believe my eyes some times” — Vĕra Jourová, the European justice commissioner
First, be careful that these arent so-called phishing attacks, or messages sent by hackers trying to trick you into handing over your personal data or spreading malware. But if youre satisfied that these emails are authentic, it should be pretty straightforward to decide whose mailing lists you do, and dont, want to stay on under Europes new rules. In the end, data protection should not be rocket science.
And thats the thing about the upcoming changes. They dont have to be that complicated. Already, many companies — often those that havent taken steps to prepare for May 25 — are spreading rumors about the regulatory burden that the new standards will put on people, particularly small businesses that dont have the financial muscle to reboot their privacy policies. But thats more myth than reality.
“There are some incredible ideas about how GDPR will affect people,” Vĕra Jourová, the European justice commissioner, said. “I dont believe my eyes some times.”
Its arguable that Europes privacy rules, although a step beyond the regions existing rights, merely build on what has been on the legislative books for decades. And people — often with a limited understanding of how these rules will apply — shouldnt be put off by the mountains of digital legalese now clogging up their mailboxes. For almost all of us, theres no need to change what were doing online. Everything will be fine.
Know your rights and use them
Rules are only as good as the people who use them. And the same goes for Europes new privacy rights.
Several nonprofit and privacy organizations are already planning a full-court press in terms of data protection complaints against some of the worlds largest tech companies. But that doesnt mean that you, as a citizen, shouldnt also take advantage of streamlined enforcement mechanisms that are supposed to make it easy for everyone — even a digital novice — to ask any company what information they hold on you and, if you decide, to pull the plug on such data access.
Across the EU, government ministries, national regulators and local advocacy groups are running get-out-the-word campaigns to both educate the public about their new rights and offer individuals user-friendly templates to submit queries to companies and governments with just a few clicks of a mouse.
In Germany, for instance, Digitale Gesellschaft, a local nonprofit, won financial backing from the national government to create a website with videos, documents and even an online game to help people get the most out of Europes new privacy rules. “Its about awareness, about empowerment,” said Julian Jaursch, who is helping to run the campaign. “We want people to understand the general importance of data in their everyday lives.”
So what rights are worth focusing on? Under the new rules, anyone can pull their consent from companies collecting and using their data at the drop of a hat. That could be particularly helpful if, say, a large social network or search engine uses your information for something like intrusive targeted digital advertising that youre not the biggest fan of.
Companies: Youve been warned
Its become a cliché to say that all companies are now digital companies. But its also true that data collection is no longer limited to the likes of Google and so-called data brokers, or companies that vacuum up peoples information to sell to the highest bidder.
Everyone from global automakers to your local neighborhood restaurant holds some form of information on you, even if thats just an email address or phone number. And Europes new privacy standards are pretty clear on the responsibilities that these firms now have — there are no more excuses. If you collect peoples information, and then something goes wrong, youre on the hook for potentially eye-watering fines, no matter what your reasons for not complying may be.
European Commissioner for Justice, Consumers and Gender Equality Vera Jourovà | Stephanie Lecocq/EPA
“GDPR is real, theres no grace period,” said Trevor Hughes, president of the International Association of Privacy Professionals, a trade group. “Expect regulators to be activists in policing the new rights.”
So its time to get your house in order. For some, that involves the wholesale deletion of customer mailing lists, which, to me, feels like using a hammer to crack a nut. You dont have to go to such extremes. But a basic audit on what data you hold, how its used and who outside of your company also has access to it are the first steps toward compliance, which should have been well underway ahead of the May 25 deadline.
Its about changing how you look at data collection.
Gone are the days when it was a relative free-for-all where companies and governments — with a few rudimentary privacy consent requests to individuals — could do almost whatever they wanted with peoples data. In its place is a world where accountability, transparency and proportionality when harvesting information will soon become the norm.
You might not like that. But it is the new reality.
Mark Scott is chief technology correspondent at POLITICO.