Privacy and GDPR Flashcards
Define Privacy
the ability of the individual to control the terms under which personal information is acquired and used” (Sorensen et al, 2006, p73)
-The difference between agreeing and understanding
Why has Privacy become a relevant topic? (3)
- Facebook case
- Acceptance vs understanding of terms
- Issues with use of data, e.g. Cambridge Analytics, location data etc
What does big data market for? (2)
- Consumer data
2. IoT
Why was the General Data Protection Regulation changed? (3)
- Idea of GDPR was to bring things up-to-date and to create a common framework for the Single Market
- Create a one stop shop to avoid duplication of costs and efforts
- To move away from harvesting without consent: “A purpose that is vague or general, such as for instance ‘Improving users’ experience’, ‘marketing purposes’, or ‘future research’ will – without further detail – usually not meet the criteria of being ‘specific’” – GDPR text
What has been the implications of a change to the GDPR? (6)
- “The GDPR expands the scope of data protection so that anyone or any organisation that collects and processes information related to EU citizens must comply with it, no matter where they are based or where the data is stored” (Tankard, 2015)
- Personal data has been defined in a broader manner, with IP addresses, cookies and mobile device identifiers included
- Breaches must be reported. First offences, higher of 2% turnover/10 million Euros though a warning can be given, Serious offences 4%/20 million Euros
- Independent DPO - Organisations with major data processing activities need an independent DPO, who operates outside the business. The DPO can be shared with other businesses.
- Data impact assessments – these are needed when high risk is present.
- Safeguards, security measures and mechanisms to ensure compliance.
- This all raises costs for businesses.
What should clear consent be? (5)
- Unbundled:Must be separate from other requests and not part of sign-up unless required
- Active opt-in:Must be a clear process. Cannot have a ticked box. Should have equal prominence to yes or no.
- Granular:Where possible have a process for consent for different types of processing. Real issue for some
- Named:Should be specific on who will use the data
- Easy to withdraw:Users should know they can withdraw consent at any time and it should be an easy, facilitated process (e.g. see Google RTBF)
What are the implications of data transfer? (3)
- are not permitted to jurisdictions seen as having inadequate standards, unless authorised
- This requires the negotiation of contracts for the data transfer. (Tankard, 2015)
- These transfers have to follow European procedures to safeguard consumer rights
When and How did the right to be forgotten come about?
- 1998 – a property was auctioned, by a distressed seller, in Spain
- The seller felt searches which gave this as a result damaged his reputation
- This led to the famous “Right to be forgotten” – Google have implemented this smoothly
Give and example of a delisting (right to be forgotten) carried out? (2)
- France:
The CEO of an online business requested the delisting from Google Search of social media pages and news articles discussing his website, claiming they contained personal data and invaded his privacy. He requested removal for his name as well as the company’s name.
Outcome
We delisted 1 URL under the requester’s personal name, not the name of his company, as the personal name no longer appeared on the page. We did not delist the remaining 2 URLs.”
- Belgium:
We received a request from the Belgian Data Protection Authority to delist 5 URLs from Google Search that describe an incident where the perpetrator violently attacked a victim. The perpetrator was convicted.
Outcome
We delisted 3 URLs that no longer contained the perpetrator’s name but refused to delist 2 that did.”
What are the challenges of the RTBF?
- Major challenge for organisations with
- Multiple products
- Inefficient IT systems - It will be a main challenge for social media firms
