GDPR (General Data Processing Requirement) is, in layman’s terms, a new legal requirement that will apply to any companies that hold or process data of EU citizens. The new rules require that any company that collects/processes/holds data have simple, easy-to-read Terms and Conditions, that users know how they’re data is being used, that they can request access to it, that users be notified of breaches within 72 hours, and that users be allowed to opt out and have their data removed.
In reading about GDPR, it’s hard not to think about the recent Facebook data scandal, in which it came out just how much data Facebook was collecting and sharing. One man, for example, downloaded the data that Facebook had been collecting about him, and found that in addition to the standard data you expect them to collect (data related to your Facebook use), Facebook was collecting data on his phone calls for the last two years, including who the calls were to, how long they were, etc. When questioned about cases similar, Facebook responded that “it’s all stated in the Terms & Conditions.” Essentially, Facebook is saying that users should have known what they were getting into when they signed up for a Facebook account.
While Facebook may think that it’s covering its tracks with a complex Terms & Conditions statement that most people don’t take the time to decipher, the firm has now made a case for expansion of GDPR beyond the EU. One of the pillars of GDPR is consent – making sure that users are able to give informed consent for the collection and use of their data and that they’re able to opt out as easy as they’re able to opt in.
I can say from personal experience that I couldn’t tell you how to opt out of Facebook’s data collection, I have no idea what data they collect, and I have absolutely no clue what is/was in their Terms and Conditions.
It has since come out that out of 50 million people whom Facebook was collecting data on, only 270,000 of those had consented to having their data collected, which further strengthens the argument for the expansion of GDPR beyond the EU. As someone who personally has no idea about whether I ever consented to giving Facebook my data or what they’re doing with it, I think that expanding GDPR beyond the EU is a good thing for a few reasons.
- It simplifies things. GDPR includes any firms that deal with data of EU citizens, which means that a number of countries outside of the EU are affected anyway. By making GDPR more of a standard worldwide, firms wouldn’t have to worry about treating data from different sources differently.
- It gives the consumer power back. Large firms have entire legal teams to review their Terms – the average person doesn’t. GDPR forces firms to provide their Terms & Conditions in plain, simple language that ensures that people will actually know what they’re opting in to.
- It brings data laws into the present. GDPR is reflective of today’s digital landscape, which is more connected than ever, with our devices constantly collecting and transmitting information to a number of sources.
I do; however, recognize that different countries treat information differently, so I think that GDPR would need to have certain parts tailored to certain countries. But as a whole, the idea of keeping consumers informed and in control of their data, is a step in the right direction.