United Nations Declaration of Human Rights, Article 12
“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
This sentiment is echoed in the International Covenant on Civil and Political Rights (ICCPR) Article 17, Right to Privacy. On April 8th 1988 the UN adopted general comment number 16 to article 17 which states that:
The gathering and holding of personal information on computers, data banks and other devices, whether by public authorities or private individuals or bodies, must be regulated by law. Effective measures have to be taken by States to ensure that information concerning a person’s private life does not reach the hands of persons who are not authorized by law to receive, process and use it, and is never used for purposes incompatible with the Covenant. In order to have the most effective protection of his private life, every individual should have the right to ascertain in an intelligible form, Whether, and if so, What personal data is stored in automatic data ﬁles, and for What purposes. Every individual should also be able to, ascertain which public authorizes or private individuals or bodies control or may control their ﬁles. If such ﬁles contain incorrect personal data or have been collected or processed contrary to the provisions of the law, every individual should have the right to request rectification or elimination.
Nearly 31 years old, this statement has gone largely ignored as the internet exploded and user engagement far outpaced any thought to user privacy. This changed on May 25th, 2018 when the European Union took a major step in protecting the privacy rights of individual users by adopting the General Data Protection Regulation (GDPR). The website created for the GDPR boasts that it is “the most important change in data privacy regulation in 20 years.” This regulation impacts how the the privacy of more than 500 million EU citizens will be protected from exploitation by online service providers. With the approval of the General Data Protection Regulation, the European Union has shown that it holds individual privacy to be of the utmost importance.
The GDPR applies to the conduct of all companies that provide services for EU residents, even if it is only for one EU resident. It aims to safeguard against individual users’ data being used in ways they do not knowingly consent to and mandates that consent can be withdrawn as easily as it is granted. This ability to withdrawal consent protects what they call “The Right to Be Forgotten.” One of the main ways that this is protected is by prohibiting from using “long illegible terms and conditions full of legalese.” Apple’s “Terms and Conditions” updated as of September 17, 2018 was a lengthy 7,006 words. The contract ambiguously ends: “Children under the age of majority should review this Agreement with their parent or guardian to ensure that the child and parent or legal guardian understand it.” However, the parents or legal guardians themselves are likely not reviewing nor understanding it; it’s unfair to expect that average users feel comfortable or have the spare time to try to understand the needlessly verbose contracts drawn up by lawyers working for multimillion dollar firms. Now behemoth companies like Facebook, Google, and Amazon, each serving a network of users across the globe, are being asked to rise to the occasion… and they will.
The amount of revenue generated from the more than 400 million internet users in the EU is more than enough to incentivize companies to adhere to the GDPR. If they fail to change their policies or decide to pull out of the European market, the business face the loss of millions of dollars through fines or from decreased profits respectively For violations of the GDPR’s stipulations on consent, among other legal issues, fines are the greater of twenty million euro or 4% of the entity’s gross global revenue. That said, Google and Facebook were quick to make sure that they updated their user policy to adhere to the GDPR.
Google will be making data they collect viewable under “My Activity” and users will be able to delete specific activity or data from entire time frames that they would rather not have associated with their account. Data privacy information has been made more easily accessible and users are provided with clearer explanations of Google’s data practices through a series of video tutorials outlining a user’s options for managing, exporting, and deleting data.
Both Facebook and Google will have special protection features for their users who are under 18 years old. Facebook’s include requiring parent or guardian permission for the use of target ads and restricted sharing.
On April 17th, 2018 Facebook’s Newsroom published an outline of changes being made to accommodate the GDPR. In addition to allowing the data to be more easily deleted, Facebook will ask users to agree to their updated terms of service and data policy, whether they want to see ads targeted to the information they have filled out on their profile, and if they want to turn off Facebook’s face recognition features. This last option will also be available to users in Canada.
All of this comes shortly after Facebook’s now infamous Cambridge Analytica scandal in which data mined on Facebook was collected and used to strategically place ads pertaining to the 2016 U.S. Presidential election. Users were inadvertently handing over their data to a third party by playing games and taking quizzes that were seemingly innocuous.
This particular application of mined data, and many other similar instances, highlights that as our dependence on technology and virtual programs has increased over the years, we have slowly but steadily bought into a system without taking the time to critique it. Collectively, people have become complacent about what contracts they absentmindedly agree to mean in the context of their everyday lives. Although we understand that anything shared on the internet will never truly disappear, we fail to ponder what happens when we hand over our addresses, credit card information, age, and other personal statistics to sites like Amazon, Twitter, banking sites, and dating services.
Unfortunately, even with the publicized steps corporations are taking to meet the expectations of the GDPR, business is business and companies continue to look for ways to maximize profits and minimize accountability. In response to the GDPR, Facebook now handles their user responsibility out of their offices in California instead of their international headquarters in Dublin, Ireland. This allows them to circumvent the GDPR and that user rights are now subject to the much lighter U.S. data protection regulations. On top of that, Facebook is still able to advantage of comparable tax breaks by booking their revenue through their Irish office. Alex Hern of The Guardian summed up the issue on April 18th, 2018: “Facebook has moved more than 1.5 billion users out of reach of European privacy law, despite a promise from Mark Zuckerberg to apply the “spirit” of the legislation globally.”
The GDPR is a step in the right direction for privacy rights but the fact remains that the very companies that so many people depend on in their day to day lives continue to abuse their global dominion. As illustrated by Facebook’s move to California, regulations lack strength unless they are implemented globally. The data privacy values outlined by the Article 17 of the ICCPR should be regarded equally around the world. Until there are universal norms, corporations will exploit legal irregularities to serve themselves, not their trusting customers. Looking to the EU as an example, one can only hope that soon the international community will begin to ask, and rightly so, about individuals’ right to privacy on the world wide web.