The introduction of the GDPR in 2018 was a real revolution for all Internet users. Consumers could now sleep peacefully, with the idea that no company – including those outside the European Union – would use their data for a bad purpose, while businesses were forced to tighten up procedures to protect sensitive information.
GDPR for businesses and consumers
From 25 May 2018, each company whose activity is based on data processing is obliged to appoint a Data Protection Officer (DPO). The records kept by the DPO must contain data as the type, purpose and manner of data storage, as well as information on the person processing the data. If a data leak occurs in the company, the controller has 72 hours to alert the persons affected by the leak. For the first time, the consumer was given the opportunity to control his or her data. The consumer can request information from the business on the data stored and the way in which it is processed. Furthermore, they can also transfer their data to another entity or correct information about themselves. The right to be forgotten has proven to be the most groundbreaking, allowing the consumer to delete his or her data completely.
Theoretically, the introduction of GDPR should be the solution to a number of problems. The Regulation ensures that the consumer is confident that his or her data is secure and that the business operator knows how to deal with it through clearly defined rules. However, after two years of the Regulation’s operation, criticism is also being voiced in addition to praise – and not out of the blue.
Specialists from the Panoptykon Foundation – a non-governmental organization protecting citizens against threats related to modern surveillance techniques – presented an overview of the biggest problems that may question the effectiveness of the GDPR. They pointed, among other things, to the still unregulated issue of the functioning of advertising exchanges that make our data available to hundreds of entities without our knowledge. This information is used to best match the advertisements to our needs and preferences. The problem, however, is that we have no control over what data is distributed between the entities in question – and this could be information such as, for example, the sites we visit and the purchases we make online. From the latter you can read what our earnings are, and even our political or religious beliefs. However, processing such data requires our informed consent. The Panopticon alerts us that in reality this type of “consent” is collected in bulk – often with a difficult possibility of not giving it.
Another hot issue raised by Panopticon is the consent to data processing itself. Let us recall that it should be completely voluntary, i.e. free of any element of coercion. It is unacceptable that a company’s client, not agreeing to a particular form of processing his or her data, does not get the same possibilities as the person who has unhooked each of the points present in the form. According to the position of the European Data Protection Board, consent to the processing of data may under no circumstances form part of the transaction.
The next point on the GDPR’s list of “sins” is the ineffective fight against behavioral advertising based on our preferences. We usually give it without knowing what specific information will be used and to whom. Moreover, we often have no other choice! The Panopticon points to so-called cookie walls and dark patterns which block our access to the content or the entire website if we do not agree to the processing of our data. Many Internet users have no idea that these practices are in conflict with the guidelines of the GDPR. According to the regulation, every Internet user should have access to the data on the basis of which the advertisements displayed on their screen are profiled. Meanwhile, despite the two years of the GDPR’s operation, obtaining such information is still like fighting a battle that can’t be won. Although these are not all elements of the General Data Protection Regulation that need to be amended or at least seriously discussed, it is time to focus on what has changed for the positive since May 2018.
In defense of the GDPR
A good evaluation of GDPR was given by Łukasz Wojciechowski, an expert in information security and personal data protection from the University of Economics and Innovation in Lublin. During a recent conversation on Radio Lublin he stated that on the one hand, high penalties for companies and, on the other hand, greater awareness of personal data among customers, are the positive effects of the functioning of the GDPR. Today, citizens are more aware of their rights than before the regulation entered into force. Consumers have not only learned the importance of their data, but have also learned that they have the right to be forgotten. The expert stresses that absolute caution must be exercised in any action that requires the use of information about us. He lists basic principles of safe use of the network, such as making purchases in trusted online shops or checking if the website address starts with https. A specialist at WSEI in Lublin praises the state platforms through which we make our applications – in his opinion, it is difficult to accuse them of anything. The responsibility for the security of our data lies with us – the users. It is us who should pay attention to whether the website we use is the right one or a “fake” website created to steal sensitive information.
There is a long road ahead
Two years is both a lot and a little. During this time we have managed to test the functioning of the GDPR – to see where it actually protects our data and where it needs to be refined. There is no doubt that in the next two years most of the problems indicated by the Panopticon will be solved. If not all.