The Challenge to European Data Rights
June 17, 2013 11:25 AM Subscribe
The Council of the European Union recently released a proposal to amend the General Data Protection Regulation. Scaling back from becoming the most strict privacy regulation in the world, the amendment greatly favors corporate interests while reducing the rights of data subjects.
Under EU law, personal data can only be collected under strict guidelines and for a legitimate purpose. The Data Protection Directive of 1995 and the e-Privacy Directive of 2002 specify, among other things, that people have rights over their data, that data can only be processed or transferred to 3rd parties if the subject has unambiguously given consent, and requires that governments create agencies to police these standards. This differs from the US where privacy policies instead target specific types of information (health care, financial data, etc.) when considered necessary.
The European Commission has proposed the General Data Protection Regulation (GDPR) which would unify data protection policies within the EU, making it easier for non-European companies to comply with the law across geographies. It would establish the world’s strictest data protection law, and violations would come with severe penalties of up to 2% of worldwide turnover. Global tech companies such as Facebook, Amazon, and Google are lobbying to avoid the additional layer of heavy regulation which they fear could stifle innovation .
The GDPR had critics outside of the tech giants. The regulation had a clause exempting "anonymous" data from regulation. This has some computer scientists worried because it has been shown that so-called anonymized data can be fairly accurately “deanonymized” using very few additional data points.
But last month, the Council of the European Union released its proposals to amend the draft GDPR. In a surprise move, the proposed draft compromise text falls in line with the recommendations of industry lobbyists. Instead of creating more stringent guidelines, the proposal allows the industry to police itself, eliminating the role of a supervising commission, and giving flexibility to data controllers to decide what constitutes a privacy risk. The amendment applies a reactionary risk-based approach instead of establishing prescriptive standards. Scaling back the rights that individuals have over their data, the amendment clarifies ”the right to data protection as a qualified right, highlighting the principle of proportionality and importance of other competing fundamental rights, including the freedom to conduct a business.” In addition, the requirement to obtain explicit consent has been revised such that data controllers need only demonstrate that consent (informed or otherwise) was somehow obtained. Also, the timeframe within which breaches of personal data must be reported has been extended and is only required when the breach may result in significant harm (as opposed to the previous standard of disclosing all breaches). And finally, the amendment exempts all social networking from the regulation.
Under EU law, personal data can only be collected under strict guidelines and for a legitimate purpose. The Data Protection Directive of 1995 and the e-Privacy Directive of 2002 specify, among other things, that people have rights over their data, that data can only be processed or transferred to 3rd parties if the subject has unambiguously given consent, and requires that governments create agencies to police these standards. This differs from the US where privacy policies instead target specific types of information (health care, financial data, etc.) when considered necessary.
The European Commission has proposed the General Data Protection Regulation (GDPR) which would unify data protection policies within the EU, making it easier for non-European companies to comply with the law across geographies. It would establish the world’s strictest data protection law, and violations would come with severe penalties of up to 2% of worldwide turnover. Global tech companies such as Facebook, Amazon, and Google are lobbying to avoid the additional layer of heavy regulation which they fear could stifle innovation .
The GDPR had critics outside of the tech giants. The regulation had a clause exempting "anonymous" data from regulation. This has some computer scientists worried because it has been shown that so-called anonymized data can be fairly accurately “deanonymized” using very few additional data points.
But last month, the Council of the European Union released its proposals to amend the draft GDPR. In a surprise move, the proposed draft compromise text falls in line with the recommendations of industry lobbyists. Instead of creating more stringent guidelines, the proposal allows the industry to police itself, eliminating the role of a supervising commission, and giving flexibility to data controllers to decide what constitutes a privacy risk. The amendment applies a reactionary risk-based approach instead of establishing prescriptive standards. Scaling back the rights that individuals have over their data, the amendment clarifies ”the right to data protection as a qualified right, highlighting the principle of proportionality and importance of other competing fundamental rights, including the freedom to conduct a business.” In addition, the requirement to obtain explicit consent has been revised such that data controllers need only demonstrate that consent (informed or otherwise) was somehow obtained. Also, the timeframe within which breaches of personal data must be reported has been extended and is only required when the breach may result in significant harm (as opposed to the previous standard of disclosing all breaches). And finally, the amendment exempts all social networking from the regulation.
Scaling back from becoming the most strict privacy regulation in the world"
That's some serious understatement right there...
posted by Hairy Lobster at 11:57 AM on June 17, 2013 [1 favorite]
That's some serious understatement right there...
posted by Hairy Lobster at 11:57 AM on June 17, 2013 [1 favorite]
As a computer programmer, I just want to say: it's great to work in an unregulated industry. Making a small web app is (relatively) cheap, easy,and fast. And I don't need any government approval or licensing to set it up. Compare that to dealing with SOX or PCI compliance (much less a law or medical degree), which are huge, expensive headaches.
But I get it. I too love privacy. Although, I don't think there is an easy solution here. Data wants to be free (thanks 1996 self), and people want their data to be private. As a bonus, your interactions with a web service are also data. And society is going to adjust slowly to these changes in technology and societal interactions.
In short: good luck making a sane, effective law here. There's no need to make it easier for the internet-scale companies of the world, but there's a lot of small companies out there that aren't, just for example, going to host the data of EU residents in the EU, no matter what law you pass there.
posted by Phredward at 12:02 PM on June 17, 2013
But I get it. I too love privacy. Although, I don't think there is an easy solution here. Data wants to be free (thanks 1996 self), and people want their data to be private. As a bonus, your interactions with a web service are also data. And society is going to adjust slowly to these changes in technology and societal interactions.
In short: good luck making a sane, effective law here. There's no need to make it easier for the internet-scale companies of the world, but there's a lot of small companies out there that aren't, just for example, going to host the data of EU residents in the EU, no matter what law you pass there.
posted by Phredward at 12:02 PM on June 17, 2013
Yes, this is good news unless it makes it super-difficult for small companies to maintain compliance in which case you better like getting online services from Microsoft, Google and Facebook because no one else will be able to provide them legally.
posted by GuyZero at 12:04 PM on June 17, 2013
posted by GuyZero at 12:04 PM on June 17, 2013
This has some computer scientists worried because it has been shown that so-called anonymized data can be fairly accurately “deanonymized” using very few additional data points.
This point cannot be emphasized enough. In a pretty crude cell phone location study (1 hour resolution, locations not more precise than the cell tower phones connected to), 95% of phones could be uniquely identified by four time/space points. In other words, one or two geotagged tweets, photos, status updates, or just data from plain old physical surveillance is usually enough to identify you even from such a coarse dataset. From the same study, it turns out that 50% of phones could be uniquely identified even with 15 hour resolution and location narrowed only down to 15 nearby cell towers.
Then there's the Netflix Prize dataset, where users' Netflix ratings can be deanonymized based on the more limited information they share in a public IMDB profile. The same researchers also found that anonymous Twitter users can be identified through their connections on flickr, based solely on the topology of the social graph.
Ars did a nice overview of the problem a few years back: 87% of Americans can be uniquely identified by ZIP code, birthdate, and sex. Even sensor data (like Nike+ or the FitBit) might be prone to certain attacks. Most browsers reveal a surprising amount of unique data. In short, pretty much no anonymous data really is anonymous.
posted by zachlipton at 12:11 PM on June 17, 2013 [9 favorites]
This point cannot be emphasized enough. In a pretty crude cell phone location study (1 hour resolution, locations not more precise than the cell tower phones connected to), 95% of phones could be uniquely identified by four time/space points. In other words, one or two geotagged tweets, photos, status updates, or just data from plain old physical surveillance is usually enough to identify you even from such a coarse dataset. From the same study, it turns out that 50% of phones could be uniquely identified even with 15 hour resolution and location narrowed only down to 15 nearby cell towers.
Then there's the Netflix Prize dataset, where users' Netflix ratings can be deanonymized based on the more limited information they share in a public IMDB profile. The same researchers also found that anonymous Twitter users can be identified through their connections on flickr, based solely on the topology of the social graph.
Ars did a nice overview of the problem a few years back: 87% of Americans can be uniquely identified by ZIP code, birthdate, and sex. Even sensor data (like Nike+ or the FitBit) might be prone to certain attacks. Most browsers reveal a surprising amount of unique data. In short, pretty much no anonymous data really is anonymous.
posted by zachlipton at 12:11 PM on June 17, 2013 [9 favorites]
Corporations always win in the end.<>
... when you elect people who are willing to sell you out for a quick buck.
"But how can you tell?"
They look and talk just like the people they sell out to.
posted by Twang at 5:37 PM on June 17, 2013
... when you elect people who are willing to sell you out for a quick buck.
"But how can you tell?"
They look and talk just like the people they sell out to.
posted by Twang at 5:37 PM on June 17, 2013
This sounds like one of those things that will be very difficult to undo.
posted by sneebler at 7:42 PM on June 17, 2013 [1 favorite]
posted by sneebler at 7:42 PM on June 17, 2013 [1 favorite]
« Older STOP | Marriage proposal via handcrafted language lesson Newer »
This thread has been archived and is closed to new comments
posted by maxwelton at 11:50 AM on June 17, 2013 [1 favorite]