The GDPR has come into force across Europe today, and with it come sweeping changes to the way the personal data of individuals is processed, retained and used.
The most obvious indication of its impact is a bulk of messages from every mailing list, store card, chat room and internet service you signed up for ever. Like many others, I’m considering it a mass unsubscribe from a heap of services I no longer use. The emails are consigned to the trash folder with only second thought being, “when did I sign up for that…?”
As a service user, it’s good news. Our digital footprints are significantly reduced, our spam folders will be filled only with pleas for help from Nigerian Royalty, and we feel a little safer.
However… the companies holding and using our data have had two years to send these emails. There’s something of a last-minute panic about it. This is, in part, because the GDPR is an incredibly ambitious and wide-ranging piece of legislation. Four years in the making, it is designed to give Europeans control and access to the data, and the right to be protected if their privacy is breached.
For companies who have operated for years on the basis of hoarding as much data as they can on as many people as they can, this is something of a difficulty. A requirement of the GDPR is that service users can request access to their personal information held by a company. If that data is on three or four different services, liberally shared with trusted third parties, or on Europeans outside the EU or non-Europeans inside the EU, handing that data over within the required 30 days might be possible.
Then there is the definition of terms that has yet to be made concrete. “Consent” is apparently not clear-cut – should it be implied or explicit? “Personal data” is somewhat nebulous – while name, date of birth and address are all personal data, is it too indirect to keep data on a nameless 42-year old male with pancreatic cancer who lives in 22391 Dept 40? While the Legislation itself provides for these definitions, they have yet to be tested in practice.
And when breaches are reported, it turns out the regulators themselves might not be prepared to act. Although the GDPR has created a central body, the European Data Protection Board which will oversee a consistent application of the regulation across Europe, the regulators themselves will not be a single, central European force.
Rather the regulators will be a national or regional taskforce in the 28 Member States. A recent Reuters Survey found that 17 of the 24 authorities who responded felt that they lacked either the funding or the powers, or both, to undertake their duties as per the GDPR. This was a situation that was expected to be resolved soon. Some of this is down the slow ratification process of European regulation into national law where the GDPR was not yet updated onto the national books.
The fines for breaches that can be levied can be up to 4% of revenue, which for Amazon, for instance, could be around $7billion. The shortfall in funding and resources could be made up for with only one or two big pay-outs. However, that is by no means assured when getting those first prosecutions will such a mismatched fight.
Initially, the enforcement of the GDPR will likely be inconsistent. How cases are selected to be pursued could be on merit, likelihood of success or the eventual pay-outs. Norms will emerge over time, as will definitions, best practices and legislation. While some will argue that no one is ready for the GDPR, we cannot afford to wait any longer. We should be patient while regulators and service providers iron out the kinks, and as with much of EU legislation, it will likely become a gold standard internationally.
The GDPR is a welcome piece of legislation, that is widely agreed. The free-for-all cannibalisation of users’ personal information has gone on for too long, and at great cost to our social fabric, democracy and integrity. In light of the recent Cambridge Analytica and Facebook data breaches, the Regulation is welcomed by all except those who have profited from misusing and exploiting our data. Now that it will be more difficult to buy, use and sell, one wonders what will fill the void to keep the economic powerhouse going, and what new ways service providers will find to exploit us.
The GDPR has come into force across Europe today, and with it come sweeping changes to the way the personal data of individuals is processed, retained and used.
The most obvious indication of its impact is a bulk of messages from every mailing list, store card, chat room and internet service you signed up for ever. Like many others, I’m considering it a mass unsubscribe from a heap of services I no longer use. The emails are consigned to the trash folder with only second thought being, “when did I sign up for that…?”
As a service user, it’s good news. Our digital footprints are significantly reduced, our spam folders will be filled only with pleas for help from Nigerian Royalty, and we feel a little safer.
However… the companies holding and using our data have had two years to send these emails. There’s something of a last-minute panic about it. This is, in part, because the GDPR is an incredibly ambitious and wide-ranging piece of legislation. Four years in the making, it is designed to give Europeans control and access to the data, and the right to be protected if their privacy is breached.
For companies who have operated for years on the basis of hoarding as much data as they can on as many people as they can, this is something of a difficulty. A requirement of the GDPR is that service users can request access to their personal information held by a company. If that data is on three or four different services, liberally shared with trusted third parties, or on Europeans outside the EU or non-Europeans inside the EU, handing that data over within the required 30 days might be possible.
Then there is the definition of terms that has yet to be made concrete. “Consent” is apparently not clear-cut – should it be implied or explicit? “Personal data” is somewhat nebulous – while name, date of birth and address are all personal data, is it too indirect to keep data on a nameless 42-year old male with pancreatic cancer who lives in 22391 Dept 40? While the Legislation itself provides for these definitions, they have yet to be tested in practice.
And when breaches are reported, it turns out the regulators themselves might not be prepared to act. Although the GDPR has created a central body, the European Data Protection Board which will oversee a consistent application of the regulation across Europe, the regulators themselves will not be a single, central European force.
Rather the regulators will be a national or regional taskforce in the 28 Member States. A recent Reuters Survey found that 17 of the 24 authorities who responded felt that they lacked either the funding or the powers, or both, to undertake their duties as per the GDPR. This was a situation that was expected to be resolved soon. Some of this is down the slow ratification process of European regulation into national law where the GDPR was not yet updated onto the national books.
The fines for breaches that can be levied can be up to 4% of revenue, which for Amazon, for instance, could be around $7billion. The shortfall in funding and resources could be made up for with only one or two big pay-outs. However, that is by no means assured when getting those first prosecutions will such a mismatched fight.
Initially, the enforcement of the GDPR will likely be inconsistent. How cases are selected to be pursued could be on merit, likelihood of success or the eventual pay-outs. Norms will emerge over time, as will definitions, best practices and legislation. While some will argue that no one is ready for the GDPR, we cannot afford to wait any longer. We should be patient while regulators and service providers iron out the kinks, and as with much of EU legislation, it will likely become a gold standard internationally.
The GDPR is a welcome piece of legislation, that is widely agreed. The free-for-all cannibalisation of users’ personal information has gone on for too long, and at great cost to our social fabric, democracy and integrity. In light of the recent Cambridge Analytica and Facebook data breaches, the Regulation is welcomed by all except those who have profited from misusing and exploiting our data. Now that it will be more difficult to buy, use and sell, one wonders what will fill the void to keep the economic powerhouse going, and what new ways service providers will find to exploit us.
The GDPR has come into force across Europe today, and with it come sweeping changes to the way the personal data of individuals is processed, retained and used.
The most obvious indication of its impact is a bulk of messages from every mailing list, store card, chat room and internet service you signed up for ever. Like many others, I’m considering it a mass unsubscribe from a heap of services I no longer use. The emails are consigned to the trash folder with only second thought being, “when did I sign up for that…?”
As a service user, it’s good news. Our digital footprints are significantly reduced, our spam folders will be filled only with pleas for help from Nigerian Royalty, and we feel a little safer.
However… the companies holding and using our data have had two years to send these emails. There’s something of a last-minute panic about it. This is, in part, because the GDPR is an incredibly ambitious and wide-ranging piece of legislation. Four years in the making, it is designed to give Europeans control and access to the data, and the right to be protected if their privacy is breached.
For companies who have operated for years on the basis of hoarding as much data as they can on as many people as they can, this is something of a difficulty. A requirement of the GDPR is that service users can request access to their personal information held by a company. If that data is on three or four different services, liberally shared with trusted third parties, or on Europeans outside the EU or non-Europeans inside the EU, handing that data over within the required 30 days might be possible.
Then there is the definition of terms that has yet to be made concrete. “Consent” is apparently not clear-cut – should it be implied or explicit? “Personal data” is somewhat nebulous – while name, date of birth and address are all personal data, is it too indirect to keep data on a nameless 42-year old male with pancreatic cancer who lives in 22391 Dept 40? While the Legislation itself provides for these definitions, they have yet to be tested in practice.
And when breaches are reported, it turns out the regulators themselves might not be prepared to act. Although the GDPR has created a central body, the European Data Protection Board which will oversee a consistent application of the regulation across Europe, the regulators themselves will not be a single, central European force.
Rather the regulators will be a national or regional taskforce in the 28 Member States. A recent Reuters Survey found that 17 of the 24 authorities who responded felt that they lacked either the funding or the powers, or both, to undertake their duties as per the GDPR. This was a situation that was expected to be resolved soon. Some of this is down the slow ratification process of European regulation into national law where the GDPR was not yet updated onto the national books.
The fines for breaches that can be levied can be up to 4% of revenue, which for Amazon, for instance, could be around $7billion. The shortfall in funding and resources could be made up for with only one or two big pay-outs. However, that is by no means assured when getting those first prosecutions will such a mismatched fight.
Initially, the enforcement of the GDPR will likely be inconsistent. How cases are selected to be pursued could be on merit, likelihood of success or the eventual pay-outs. Norms will emerge over time, as will definitions, best practices and legislation. While some will argue that no one is ready for the GDPR, we cannot afford to wait any longer. We should be patient while regulators and service providers iron out the kinks, and as with much of EU legislation, it will likely become a gold standard internationally.
The GDPR is a welcome piece of legislation, that is widely agreed. The free-for-all cannibalisation of users’ personal information has gone on for too long, and at great cost to our social fabric, democracy and integrity. In light of the recent Cambridge Analytica and Facebook data breaches, the Regulation is welcomed by all except those who have profited from misusing and exploiting our data. Now that it will be more difficult to buy, use and sell, one wonders what will fill the void to keep the economic powerhouse going, and what new ways service providers will find to exploit us.