Whilst some of us are busy trying to implement the new European data regulations that will come into effect on 25th May, Facebook is just as busy as we are, in clearly breaching the same regulations. Facebook’s carelessness concerning private data has been well reported elsewhere. However, there is one aspect of this fiasco that I can write about because I’m affected by the implementation of the new European rules.
As a practicing healthcare worker, I have patient data stored in my practice computer. Data includes personal details of all my patients, as well as information about their general medical condition.
Next May, the EU will officially apply a new set of stringent regulations, the General Data Protection Regulation (GDPR) to all those storing and processing personal data concerning EU citizens. The rules will also apply to companies based outside the EU, but whose customers include EU citizens. And, before you ask, this is one mighty set of EU regulations that will be hanging over Britannia’s head, well after Brexit.
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies
Key changes include (GDPR):
- Increased territorial scope:
The GDPR extends its jurisdiction to all companies that store and process EU citizens’ data, regardless of where the company is based.
Companies can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ will not be exempt from GDPR enforcement.
Companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
On 29th January, Facebook published the following statement, on their website,
Facebook takes data protection and people’s privacy very seriously and we are committed to continuing to comply with data protection laws….At Facebook, preparations are well underway to ensure that our products and services comply with the GDPR. Facebook and its affiliates, including Instagram, Oculus and WhatsApp, will all comply with the GDPR…We are committed to transparency, control and accountability.
Facebook’s statements concerning “control” and “accountability”, are particularly interesting,
We’ll continue to provide people with controls over how their data is used. To build on this, we’re simplifying the design of our privacy settings in a new control centre. We’ll also provide refreshers for people as they use Facebook, such as reminders that pop up in News Feed about how to double-check your settings.
We are accountable for our privacy practices, which includes updating our existing compliance program to ensure that we are adequately documenting our GDPR review and compliance. We are also meeting with regulators, legislators, experts and academics from around the world to seek feedback.
Playing with, and profiting from, the Human Ego
Those of you who still think that Mark Zuckerberg, the founder of Facebook, is a philanthropic well-doer whose sole aim is to make a better world, have seriously underestimated the hidden motives of a man who stores your holiday snapshots, knows your friends, and shares your political opinions and secret desires, with others.The man is probably a genius, but is also a shrewd businessman. He is playing with, and profiting from, a universal source of income derived from our technological world – the human ego.
The fact that Cambridge Analytica stole Facebook personal data from unsuspecting American citizens, does not change the fact that Facebook is guilty, and is nowhere near complying to GDPR regulations. Facebook knew about the breach, as far back as 2015. If I encounter a data leak in my practice, under GDPR Artice 33, I will have to report it to the competent authority within 72 hours from the time of its discovery.
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it…
Let us not forget that Facebook has sold off personal data, for years, without the consent of its users, and has received generous commissions for doing so. The fact that the personal data of millions of American voters found its way into Donald Trump’s presidential campaign mailbox, via Cambridge Analytica, doesn’t change the fact that Facebook is still to blame. Having gathered user data in the first place, Facebook is considered under GDPR to be the “controller” who, “alone or jointly with others, determines the purposes and means of the processing of personal data.” (GDPR Art 7)
Even if Facebook were found to be guilty, and fined 4% of its income, according to the new rules, the fine would be insignificant when compared to Facebook’s global revenue which, in 2016, amounted to $27.64 billion.
Facebook’s attitude towards the privacy of its members, is undermining the very concept that it is trying to promote – democracy and social cohesion, in a safe environment. Facebook users freely choose to share certain information about themselves on the platform, but surely expect, and deserve, that this information stays within the confines of the users’ agreement with Facebook, unless they specifically consent otherwise.
How will Facebook have to adapt to GDPR, if it is not to suffer sanctions from Brussels, lose its credibility, or both?
First and foremost, Facebook will be unable to use personal data for advertising purposes without specific user consent. Furthermore, Facebook cannot deny access to users who refuse to accept all its services. Concerning consent, Recital 32 of the GDPR states that,
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
I was curious about this, and opened my Ad controller on my Facebook account. These are settings that can control the way Facebook sends me advertissements that suit my profile. To my surprise, all the boxes were ticked, which either means I cannot remember ticking them, or they were pre-ticked boxes.
I seriously considered acquiring carrier pigeons, instead of sending encrypted emails
I am facing a similar situation insomuch that I must put down in writing (including on my practice website) why I collect personal data, what I use it for, and what the patient can do about it. Everything must be crystal clear and written for the records. This includes a detailed description of what happens to personal data, when sent to third parties, such as insurance and billing companies, as well as emails to and from colleagues. In this way, the personal data that is gathered should not serve any other purpose than that specified to the user, and the amount of data collected should be up-to-date, and comprise no more than a strict minimum to maintain an adequate service that the user, or customer, has signed up for. The implementation of GDPR is so complicated, that I seriously considered acquiring carrier pigeons, instead of sending encrypted emails. Quite safe, I thought, as long as they land in the right place and don’t get maimed by the cat, living at number 10.
Another controversial GDPR issue is of particular importance to all those using Facebook. It concerns the user’s “right to erasure”, or “right to be forgotten”, detailed in the GDPR’s Article 17. The regulations will allow people to ask for their personal data, including IP addresses and internet cookies.
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay…
Thus, if you decide to close your Facebook account, Facebook will be obliged to comply because, “the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,” and, “the data subject withdraws consent on which the processing is based.” Third parties, who have also accessed and copied the data, are also obliged to erase it, after being informed by the controller, to do so.
But do you disappear from Facebook, once you delete your account? According to Chris Shrader, former Facebook consultant, the answer is a categorical “niet“.
Hive (a tool within the Hadoop platform which Facebook uses for analyzing and storing data) literally doesn’t allow you to delete individual records from tables. It is simply a limitation of the technology. The only way to delete your data would be to delete everyone’s data.
The upcoming GDPR is a logical conclusion to a digital dream that still has the potential to turn into a nightmare. However, even stringent rules, that are well thought out, will only be as strong as their enforcement. This is of paramount importance when trying to control and regulate companies, such as Facebook and Google, whose sheer size escapes us, and whose data – our data – threatens to disappear in the cloud. For Mark Zuckerberg, it was, “a major breach of trust.” His company, though, has certainly lost face. As for the rest of us – his clients – it might just be a question of a few stolen photo books, and a few unsolicited emails, containing advice on how to vote in a presidential election, or in a referendum.