GDPR: Here’s why you’re getting all those privacy-update emails
That’s because of the European Union’s General Data Protection Regulation (GDPR), a set of sweeping new privacy rules that could change the way businesses collect information online. The GDPR takes effect this Friday, May 25, and affects any company with dealings in the EU, not just those based in Europe.
That’s one reason why the GDPR impacts Canadians, too. Some companies, like Microsoft, have pledged to extend GDPR protections to users worldwide. Many others, like Facebook and Google, have simplified their privacy controls or privacy policies. And privacy advocates in Canada are pointing to EU legislation as the example this country should follow.
So how exactly will GDPR change the Internet for Canadians?
GDPR is the first major attempt to make privacy the default setting on the Internet
The idea at the heart of the new EU regulations is that user privacy should be the default setting, said Ann Cavoukian, Ontario’s former Information and Privacy Commissioner and current head of the Privacy by Design Centre of Excellence at Ryerson University in Toronto.
The rules compel companies to obtain explicit permission from customers to use their data.
“What [the legislation] tells to companies is, you cannot use this person’s information for additional, secondary uses unless you have the positive consent of the data subject,” Cavoukian said.
In other words, for example, just because you’ve shared your information on social media to stay in touch with family and friends, no longer means the company can automatically use that data for targeted ads.
Another principle embedded in the EU legislation is that of “data portability.” The idea is that if you, at any point, switch companies, you have the right to easily obtain and transfer your personal information.
WATCH: Zuckerberg says his personal data also sold to ‘malicious’ third parties
There’s also “the right to be forgotten,” which means companies would have to erase your personal data — including what’s publicly available on the web — in certain cases.
And the EU is pledging to punish businesses that don’t comply with the new rules with fines of up to 4 per cent of global revenues.
It’s still unclear to what extent the GDPR will affect Canadians. That will depend on how many global companies decide to apply its principles to all users, and how many Canada-based businesses are affected by the rules and also decide to adopt changes across the board. And the extent of business compliance will also depend on how aggressively European courts will decide to apply GDPR — i.e. to what extent they will focus strictly on protecting EU citizens or interpret the law in the broadest sense as applying to any company with business ties to the EU.
But Canada’s privacy advocates are also seizing on Europe’s wide-ranging rules to push for an upgrade of our own online privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).
Canada’s Privacy Commissioner, Daniel Therrien, recently told the Globe and Mail that the GDPR “raises the bar” for Canada and other countries. “I don’t think Canada needs to adopt exactly the same regime as in Europe, but it sets an important standard,” he added.
WATCH: Facebook’s Mark Zuckerberg apologizes to EU Lawmakers over data leak
How tech titans have complied, so far
Facebook hasn’t committed to GDPR for everyone but has made privacy tools and settings easier to find, including managing the personal information that the company uses to show targeted ads.
Apple has introduced a new privacy portal where customers can request to see all the data the company has on them.
Will GDPR prevent another Cambridge Analytica Scandal?
Theoretically, it should, according to Cavoukian.
Under the EU’s regime “the information you give may only be used for the primary purpose [to which you’ve consented],” she noted.
The argument is that with something like GDPR in place, Facebook wouldn’t have been able to automatically pass personal data to partner sites like the personality-quiz app through which Cambridge Analytica was able to gain access to 87 million users without their knowledge.
Could this backfire?
Some worry global tech companies will be able to dance around the new rules without giving up much of the data they control.
Facebook, for example, has been accused of adopting a design that encourages users to quickly agree to keep being targeted with personalized marketing. The social network has also used the privacy tool revamp to ask European and Canadian users about opting into facial recognition technology.
There are also concerns that the rules could, paradoxically, cement the control that tech giants already have on user data. Startups, for example, may find it hard to convince users to explicitly consent to data collection and processing, while incumbents can count on customer loyalty and inertia to gain permission to keep doing what they’re doing.
What about those emails, anyway?
If you’re curious, you can follow the links to the various company’s update privacy policies and have a read. Otherwise, you can safely consign them to your digital dustbin.
But if you spot a few messages from websites and apps you don’t recall ever signing up for, this is a good chance to let them know that, no, you don’t want to keep in touch.
© 2018 Global News, a division of Corus Entertainment Inc.