GDPR and a Digital Protection Agency?

Ok, I know I said that I’ll stop reading articles about personal data abuses, but they just keep coming.

Silicon Valley has failed to protect our data. Here’s how to fix it
What’s been unfolding for a while now is a rolling catastrophe so obvious we forget it’s happening. Private data are spilling out of banks, credit-rating providers, email providers, and social networks and ending up everywhere.

[…]

Given that the federal government is currently one angry man with nuclear weapons and a Twitter account, and that it’s futile to expect reform or self-regulation from internet giants, I’d like to propose something that will seem impossible but I would argue isn’t: Let’s make a digital Environmental Protection Agency. Call it the Digital Protection Agency. Its job would be to clean up toxic data spills, educate the public, and calibrate and levy fines.

That sounds like a very sensible, pragmatic and effective approach, so it’s obviously going to be ignored. It was interesting reading that after hearing about another data breach yesterday, this time with a fitness app. It seems the company dealt with it appropriately though. This time.

The MyFitnessPal hack may affect 150 million people. It could’ve been even worse.
Under Armour and MyFitnessPal seem to have some good data practices in place: Payment information was kept separate from general user information, which was stored separately from user-uploaded app data. Under Armour also appears to have reacted swiftly once it learned of the breach and notified users and the public a few days later—a stark comparison to other companies, such as Uber, which hid its 2016 data breach by paying off the hackers. Still, it’s an important reminder that being hacked isn’t a matter of if—it’s when.

What will these companies make of the GDPR, I wonder.

WTF is GDPR?
Last year the company [Facebook] told us it had assembled “the largest cross functional team” in the history of its family of companies to support GDPR compliance — specifying this included “senior executives from all product teams, designers and user experience/testing executives, policy executives, legal executives and executives from each of the Facebook family of companies”.

“Dozens of people at Facebook Ireland are working full time on this effort,” it said, noting too that the data protection team at its European HQ (in Dublin, Ireland) would be growing by 250% in 2017. It also said it was in the process of hiring a “top quality data protection officer” — a position the company appears to still be taking applications for.

And this.

How Europe’s new privacy rule is reshaping the internet
Much of the GDPR builds on rules set by earlier EU privacy measures like the Privacy Shield and Data Protection Directive, but it expands on those measures in two crucial ways. First, the GDPR sets a higher bar for obtaining personal data than we’ve ever seen on the internet before. By default, any time a company collects personal data on an EU citizen, it will need explicit and informed consent from that person. Users also need a way to revoke that consent, and they can request all the data a company has from them as a way to verify that consent. It’s a lot stronger than existing requirements, and it explicitly extends to companies based outside the EU. For an industry that’s used to collecting and sharing data with little to no restriction, that means rewriting the rules of how ads are targeted online.

Author: Terry Madeley

I work with student data and enjoy reading about art and design, data, education and technology.