What’s with all the privacy emails and ‘I accept’ tick boxes?

If you use a computer or smartphone and access the Internet (a reasonable bet if you are reading this post) then you will, over recent days, have been inundated with “Update to our terms and conditions” or “Update to our privacy rules” or “Re-subscribe” or tick boxes to say you accept.? Disqus, used by Whaleoil, had two tick boxes the other day.


The reason is that the European Union passed a law in 2016 called the General Data Protection Regulation (GDPR) and companies had two years to comply with this law which comes into force on May 25, 2018.

So everyone is busily sending you emails asking if you want to receive emails.? A sort of modern equivalent to the teacher saying, “Put your hand up if you can’t hear me down at the back.”

So here is a bit about it all: Quote.

GDPR was designed to replace the previous law known as the Data Protection Directive and it aims to create a single set of rules for European Union member states. It aims to give consumers more control over the personal data companies collect about them. Not only does the legislation affect organizations based within the EU itself, but it also applies to companies outside of the EU if they provide services to ? or monitor the activities of ? EU citizens. As you can see, it?s going to have a major impact felt around the world.

How Did All This Come About?

The GDPR is one of the latest EU parliamentary measures designed to protect personal data as much as possible. The EU Charter itself states that protection of personal data is a fundamental right associated with protection of one?s natural person.

While American laws tend to be in favor of businesses more so than consumers, the EU takes a consumer-first approach. The Data Protection Directive and the Organization for Economic Co-Operation and Development started the process and now the GDPR continues it.

Make no bones about it; the EU cares a lot about protecting consumer privacy and they always have. It has now paved the way for this approach to be taken globally thanks to the GDPR, it?s policies, and the punishments for those that break them.

What are the Key Policies?

A key focus of the legislation is strengthening the conditions of consent. This means that companies are no longer able to get your data out of you by using vague and confusing statements. They will also no longer be able to make users consent to several things at once. Users should be able to consent to individual things individually, rather than being presented with a list of things and then being asked to consent to everything at once. On top of this, a parent or guardian must consent to data collection on children aged under 16.

Another GDPR rule says that companies must notify their data protection authority about any breaches within 72 hours of them becoming aware it happened. Those in charge of processing data must notify customers as soon as possible once the breach has been discovered.

Consumers will also be given more control over their user data. They will have the right to access the personal information that companies store on them and find out what the data is being used for and where it is being kept. It also gives users the right to be forgotten. That means that you have the right to ask people to delete the information they have on you and prevent third parties from getting access to it. It also allows for people to transfer their information between service providers easily.

How Will it Affect Individuals?

While consumers are given more control over their information and are given the right to be forgotten, there are some gray areas about how all this applies in reality. In theory, the law would allow for people to demand that social networks such as Facebook completely delete their profile permanently. How feasible this is remains to be seen. There are also other problems, such as the freedom of expression. Laws built around the freedom of expression prevent this right to be forgotten from extending to news articles.

Will There Be Punishments for Breaking GDPR?

There will be some potentially major fines associated with breaking the rules of the GDPR. Organizations that breach the rules will be subject to fines of up to 4% of their annual global turnover or 20 million euros (around $25 million), whichever figure is higher. Given that some?tech?companies such as Facebook and Google make billions of dollars each year, this could be a potentially massive fine. End of quote.

Well, this GDPR sounds like a good idea, what could possibly go wrong?

There is a problem with the WHOIS service for a start. WHOIS service is a very useful tool for finding out ‘who is’ behind any domain name on the Internet.

Another quote:

To be fair, GDPR as a whole is a bit complicated. Alison Cool, a professor of anthropology and information science at the University of Colorado, Boulder,?writes in?TheNew York Times?that the law is ?staggeringly complex? and practically incomprehensible to the people who are trying to comply with it. Scientists and data managers she spoke to ?doubted that absolute compliance was even possible.? End of quote.

But as the end-user, that is not your problem.

Where it does get interesting as an end-user are?issues like this: Quote.

Google and Facebook?will be unable to?use the personal data they hold for advertising purposes without user permission. This is an acute challenge because, contrary to what some commentators have assumed,?they?cannot use a ?service-wide? opt-in for everything. Nor can they deny access to their services to users who refuse to opt-in to tracking.?Some?parts of their businesses are likely to be disrupted more than others.

When one uses Google or Facebook.com one willingly discloses personal data. These businesses have the right to process these data to provide their services when one asks them to.?However, the application of the GDPR will prevent them from using these personal data for any further purpose unless the user permits. The GDPR applies the principle of ?purpose limitation?, under which personal data must only be ?collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes?.

Google and Facebook cannot confront their users with broad, non-specific, consent requests that cover the entire breadth of their?activities.?Data protection regulators across the EU have made clear what they expect:

?A purpose that is vague or general, such as for instance ?Improving users? experience?, ?marketing purposes?, or ?future research? will ? without further detail ? usually not meet the criteria of being ?specific??.

A business cannot, for example, collect more data for a purpose than it needs and then retroactively ask to use those data for additional purposes.

It will be necessary to ask for consent, or present an opt-out choice, at different times, and for different things. End of quote.

So expect many more tick-boxes in your life. Read and understand (as best you can) what, exactly, it is that you are consenting to.