At the Digital Rights Forum 2016, experts discussed the preparedness of companies to implement the General Data Protection Regulation and debated whether we really know what type of data protection people actually need.
“We had to update the regulatory regime concerning data protection to keep pace with technological challenges,” claimed EU Commission representative Paulo Silva, speaking at the Digital Rights Forum 2016 about the changes brought about by the General Data Protection Regulation.
Evolution, not revolution
According to Silva, the new Regulation represents evolution and not revolution in data protection, since we are familiar with most of the rules already.
“What is changing? We are moving towards greater accountability for data processors. This is a new model for managing data protection, one that aims to let people themselves to be in control of their data.”
The Regulation makes it easier to control data. Data processors are now also obliged to provide more comprehensive information on what they will use personal data for, while consent to processing will have to be given by a clear affirmative act.
Yet another important novelty that the Regulation brings to the table is data protection by design. Various products and services will also have to incorporate data protection measures – for example, if your refrigerator is connected to the Internet, it will be necessary to ensure that it will not work without a correct password.
These new data protection rules will apply to both EU subjects and companies outside the EU that offer services to the Union’s citizens.
Online behavioral tracking is now the prevalent business model
According to the assistant to the European Data Protection Supervisor, Christian D’Cunha, who spoke about the competitive advantages offered by privacy protection, privacy is necessary for the enjoyment of other rights – self expression, creation, innovation and, more recently, choosing what content to access online.
“Three-quarters of all people now receive their news through social media, but your experiences there are determined by algorithms. When I sought solace in Facebook after Brexit, you would’ve thought that 95 percent of the people voted to stay, but that was obviously untrue.”
D’Cunha said that 91% of US residents feel that they can no longer control how companies use their data.
“Last year, we visited the Silicon Valley, had meetings with companies and got the impression that the dominant business model nowadays is online behaviorist tracking.” According to D’Cunha, the meetings revealed that it was very difficult to gain support from investors without showing how the company could monetize data. Companies wishing to escape this model would simply not attract investment.
Lithuanian companies adapt to new technologies, but are susceptible to threats
This trend was also observed by Mindaugas Kiškis, who presented a study on the preparedness of Lithuanian companies to implement the Regulation. According to the expert, the researchers were pleasantly surprised by the progressiveness of Lithuanian companies and their willingness to adapt to new technologies. On the one hand, this provides a competitive edge (especially for startups), but on the other, it also creates data protection risks.
According to Kiškis, when dealing with data protection issues, companies rely on internal resources and do not defer to professionals, even though they know very little about the regulation of privacy and data protection.
The researcher criticized the bureaucratic, formalistic view of data protection and uneven EU privacy protection practices.
“The European Commission tells us that it’s protecting our privacy, and then this very same Commission, I would say, rather undemocratically decides to gather the biometric data of all EU citizens.”
The expert questioned whether this did not amount to applying a double standard. “Did anyone ask whether we wanted this, did anyone ask us for permission to give the state access to all of our biometric data? The way I see it, this really doesn’t contribute much to the overall perception of privacy.”
“Hard security is worth little”
According to Kiškis, the public is not sufficiently educated on privacy and data protection. Furthermore, qualitative research is needed to analyze people’s views on privacy. While many claim that they value privacy, they don’t know what to say when probed deeper. In the absence of any qualitative research, it is unclear whether regulation of this sort is what people actually need.
“We are fixated on hard to security, on data encryption and firewalls. We need to understand that hard security in reality is worth very little. If we take a good, hard look at security threats, two-thirds of them are ‘soft’ and caused by people. Encryption is meaningless when your password is ‘Lithuania1’.”
To improve privacy and the protection of personal data, Kiškis recommended strengthening the role of supervisory authorities so that they are able to advise companies on data protection issues, as well as increasing awareness of the changes and the new provisions in this area.
Privacy is valued, but people don’t report data breaches
According to Bitiukova, there is a clear gap between the people’s intentions regarding giving access to their data and their behaviour in practice. Furthermore, despite claiming that it’s important to them, most people, when faced with a violation of their privacy, choose to not report it to any institution.