GDPR: Will We Get Back Control of our Data?

We are normally quite concerned about protecting our private lives, but paradoxically we have not shown this in our online behavior. Online, we have given our personal data away freely to almost everyone who asked for it – from social media to online communication services, and online shops to online games.

Personal data is not just a name, address, phone number or a credit card data, it is any kind of information that relates to an identified or identifiable person, from a picture to a list of products ordered online. Connecting different data that we have put online can create an accurate profile of us and a lot of detail about our lives and preferences can be learned.

Most of us are aware by now that our data has a monetary value for others and that by giving away this data, we are also giving away part of our liberty - but we are somewhat helpless.

Given this situation, the EU legislator promised to give us back the control on our data but does this mean that as of 25 May 2018, when the General Data Protection Regulation (GDPR) becomes fully binding, we will be the masters of our own data? Not quite. The GDPR provides some opportunities for having more control on one’s personal data, but does not give us back full control.

Sharing data is not only a problem because of others - the ones who collect and process it – the problem begins with us. We are the ones who share our data so we’re the ones making it possible for that data to be processed in all the different ways that technology allows.

For the GDPR, it is the legal concept of the freely given, unambiguous, specific and informed consent (article 7) that is seen as the one clause that will allow us to conscientiously decide about sharing data in the future. However, I would argue that this is not enough.

In many instances, not giving consent means that we are excluded from being able to access digital services and information. In addition, despite clearly written privacy policies, information asymmetries will continue to exist.

For example, we will remain largely unaware or uninformed of the technological context of data use, and we are unable to assess the value of our data. Therefore, we cannot effectively be in control of our data. In addition, since the pace of technology advances so quickly, as do the processing capabilities, consent given for data processing today may be entirely out of context tomorrow.

Of course, there is also the issue that it is not only us that share our data online, it is also our peers and acquaintances. Just think of how many times your picture was shared online by your friends, and how many times your location has been disclosed by others. Unfortunately, the introduction of the GDPR does nothing to reduce the possibility, and indeed probability, of others to share our personal data.

This is protected under the exclusion of purely personal or household activities (article 2(2)(c)) that while on one side encourages individuals to make use of the internet and of the information society, on the other side, it takes some control away from us with regards to the sharing of our personal data. 

Then come the problems caused by others – the controllers and processors of our data. GDPR provides allows them to be much more transparent about what personal data they hold and what they do with it (articles 12-15). In this framework, it also introduces new rights for us including, for example, the right to ask for the erasure of personal data (article 17), or the right to data portability (article 20).

As well as monetary penalties, it is also unclear how it will be possible to control and/or enforce the rules for all data controllers and processors that are not established in the territory of the EU and that offer goods or services or that monitor the behavior of subjects in the EU. This is all still to be understood, but one thing is certain – we would not be able to defend our rights or fulfil our obligations if we do not know what they are.

As part of the Security, Technology and e-Privacy research group of the University of Groningen in the Netherlands, I have worked together with others to prepare a Massive Open Online Course (MOOC) on ‘Understanding the General Data Protection Regulation’ directed to all interested in learning more on the GDPR.

We focus on both the data subjects as well as on data controllers and processors. If you are eager to learn more on the GDPR you can join this free MOOC on the FutureLearn platform. 

What’s Hot on Infosecurity Magazine?