As citizens of the United States, we have a series of protected “rights” that are guaranteed. These rights are spelled out in the Constitution and subsequent Amendments. Conspicuously missing from the list of explicitly stated protections is the right to privacy. Never fully spelled out in the Constitution of any of its amendments, the right to privacy is only implied, or drawn from a number of other amendments (specifically the Fifth and the Ninth).
A number of Supreme Court cases have dealt with the issue over the years, laying further precedent that there is a basic recognition around the “right to privacy”, but the United States is still lagging behind other countries in its efforts to more rigidly define exactly what “privacy” means.
In the age of IoT, an age where literally every “thing” serves as a gateway to an internet enabled network, we are facing new, real challenges around this very concept. With all the recent scandals around the sale of personal data at Facebook, the lack of regulation and clarity around this particular issue hits close to home.
Who has the right to view your personal data? Who owns it? Who can profit from it? How can you fully control what is collected and when?
As of May 2018, a new European Union law around data protection goes into effect. The General Data Protection Regulation (GDPR) replaces the Data Protection Directive and “was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach privacy.”
The GDPR increases the scope of data protections for EU citizens, levels heavier penalties on violators of the protections, and places an emphasis on consent to data collection/sharing.
The GDPR impacts not only all members of the European Union, but anyone doing business with an individual who is a citizen of and/or physically in a country that is a member of the European Union. The GDPR also specifies that there does not need to be a transactional nature to the collection of personal data or behavioral information. Even if it is simply used in a marketing or research capacity, the GDPR protections still apply.
Now, the data collection efforts have to be targeted, in other words, a citizen of the EU that happens across a website and shares personal information is not automatically under the protection of the GDPR. This is a reasonable concession on behalf of companies. However, the scope of targeting includes having your website render in the language of the country it is being accessed in, or any mention of EU users/buyers.
Summarized as the “right to be forgotten”, the GDPR essentially empowers individuals to inform sites, businesses, and anyone collecting their personal data that they would like to “opt out” and have their data “forgotten”. This includes the right to have previously collected data erased, an immediate halt to the dissemination of that information, and the potential to halt the processing of that data by third party organizations.
Additionally, the subjects have the right to obtain copies of all the personal data collected on them from the data controller, and information on how it was processed, all free of charge.
Simply put, the GDPR says: you have a right to be informed when your personal data is being collected, to opt out of that collection process, to know what third party organizations know about you, and to understand how they leverage that knowledge. Additionally, you have a right to ask them to stop using any data they previously collected. Sounds like something we should all want, even demand, as necessary participants in an overtly connected society that remains vaguely regulated.
The GDPR is being framed as a thorn in the side of internet based businesses outside of the EU (and at times, even within). Several popular websites have new banners on their home pages declaring updates that will be required to comply with GDPR regulations, and business IT departments are anxious about the 72 hour response time required in some complaint instances. However, the question we should be asking ourselves is: why didn’t we have this kind of protection in the first place?
A whole new economy has been built around data in a society where the right to privacy is fuzzy at best…and this should be deeply concerning. Following the European Union’s lead, we in the United States should look into our own state of the state on data security and privacy regulations.
Written by Clare Maher, IoT Market Development Manager at ClearObject.