You may already be superficially acquainted with the acronym GDPR. If you’ve ever signed up for or interacted with a site or app that does business in Europe, chances are, your inbox has been filling with emails from companies warning you of privacy policy updates or asking you to “click here to let us know you want to stay in touch.”
That’s because of the European Union’s General Data Protection Regulation (GDPR), a set of sweeping new privacy rules that could change the way businesses collect information online. The GDPR takes effect this Friday, May 25, and affects any company with dealings in the EU, not just those based in Europe.
READ MORE: Not just Facebook: How retailers and the payments industry can track, profile you
That’s one reason why the GDPR impacts Canadians, too. Some companies, like Microsoft, have pledged to extend GDPR protections to users worldwide. Many others, like Facebook and Google, have simplified their privacy controls or privacy policies. And privacy advocates in Canada are pointing to EU legislation as the example this country should follow.
So how exactly will GDPR change the Internet for Canadians?
GDPR is the first major attempt to make privacy the default setting on the Internet
The idea at the heart of the new EU regulations is that user privacy should be the default setting, said Ann Cavoukian, Ontario’s former Information and Privacy Commissioner and current head of the Privacy by Design Centre of Excellence at Ryerson University in Toronto.
- Posters promoting ‘Steal From Loblaws Day’ are circulating. How did we get here?
- Canadian food banks are on the brink: ‘This is not a sustainable situation’
- Solar eclipse eye damage: More than 160 cases reported in Ontario, Quebec
- 3 women diagnosed with HIV after ‘vampire facials’ at unlicensed U.S. spa
The rules compel companies to obtain explicit permission from customers to use their data.
In other words, for example, just because you’ve shared your information on social media to stay in touch with family and friends, no longer means the company can automatically use that data for targeted ads.
READ MORE: Privacy officials looking into reports Bell, Telus, Rogers shared Canadians’ location data
Another principle embedded in the EU legislation is that of “data portability.” The idea is that if you, at any point, switch companies, you have the right to easily obtain and transfer your personal information.
WATCH: Zuckerberg says his personal data also sold to ‘malicious’ third parties
There’s also “the right to be forgotten,” which means companies would have to erase your personal data — including what’s publicly available on the web — in certain cases.
And the EU is pledging to punish businesses that don’t comply with the new rules with fines of up to 4 per cent of global revenues.
It’s still unclear to what extent the GDPR will affect Canadians. That will depend on how many global companies decide to apply its principles to all users, and how many Canada-based businesses are affected by the rules and also decide to adopt changes across the board. And the extent of business compliance will also depend on how aggressively European courts will decide to apply GDPR — i.e. to what extent they will focus strictly on protecting EU citizens or interpret the law in the broadest sense as applying to any company with business ties to the EU.
READ MORE: Facebook, Google and others are tracking you. Here’s how to stop targeted ads
But Canada’s privacy advocates are also seizing on Europe’s wide-ranging rules to push for an upgrade of our own online privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).
Canada’s Privacy Commissioner, Daniel Therrien, recently told the Globe and Mail that the GDPR “raises the bar” for Canada and other countries. “I don’t think Canada needs to adopt exactly the same regime as in Europe, but it sets an important standard,” he added.
WATCH: Facebook’s Mark Zuckerberg apologizes to EU Lawmakers over data leak
How tech titans have complied, so far
Silicon Valley giants have updated their privacy policy and controls in response to GDPR. What that means in practice, though, varies.
Facebook hasn’t committed to GDPR for everyone but has made privacy tools and settings easier to find, including managing the personal information that the company uses to show targeted ads.
Apple has introduced a new privacy portal where customers can request to see all the data the company has on them.
READ MORE: What does Google know about you? Here’s how to find out
Google has quietly changed its privacy policy, taking out some of the legalese and adding videos and images to make it easier to understand. It also made it easier to find options to view, download, or delete personal data, including on/off switches to chose whether Google should remember things like your location history and web activity.
READ MORE: Here’s how to download your Facebook data, and why you’ll probably want to
Will GDPR prevent another Cambridge Analytica Scandal?
Theoretically, it should, according to Cavoukian.
The argument is that with something like GDPR in place, Facebook wouldn’t have been able to automatically pass personal data to partner sites like the personality-quiz app through which Cambridge Analytica was able to gain access to 87 million users without their knowledge.
READ MORE: Over 600,000 Canadians’ Facebook data shared with Cambridge Analytica in data leak
Could this backfire?
Some worry global tech companies will be able to dance around the new rules without giving up much of the data they control.
Facebook, for example, has been accused of adopting a design that encourages users to quickly agree to keep being targeted with personalized marketing. The social network has also used the privacy tool revamp to ask European and Canadian users about opting into facial recognition technology.
There are also concerns that the rules could, paradoxically, cement the control that tech giants already have on user data. Startups, for example, may find it hard to convince users to explicitly consent to data collection and processing, while incumbents can count on customer loyalty and inertia to gain permission to keep doing what they’re doing.
What about those emails, anyway?
If you’re curious, you can follow the links to the various company’s update privacy policies and have a read. Otherwise, you can safely consign them to your digital dustbin.
But if you spot a few messages from websites and apps you don’t recall ever signing up for, this is a good chance to let them know that, no, you don’t want to keep in touch.
Comments