European Union’s General Data Protection Regulation

From P2P Foundation
Jump to: navigation, search


Max Read:

"What does the GDPR do? First, it creates a set of legal responsibilities for data-gathering and data-processing companies, and second, it creates rights around personal data. Those rights protect anyone geographically within the E.U. or anyone outside it whose data is being harvested or processed by any company established in the E.U. The GDPR effectively turns the global nature of the internet to its advantage: There are not many internet companies that have no offices or employees or users somewhere in Europe.

Maybe the most important of tech companies’ new responsibilities is the GDPR’s insistence that data harvesters obtain “specific, informed and unambiguous” consent from users. That is, websites and apps now need to make it very clear that they want to harvest your data and why — e.g., “so we can target ads more efficiently” or “to sell it to third parties” — and they need to make it easy for users to say no: So-called dark patterns that passively compel consent, like pre-checked boxes, are explicitly banned. The GDPR also mandates that protecting users’ data be a fundamental concern in the design of any new products and that those products must be subject to privacy testing even in early stages.

Some of the rights users are guaranteed are simply the inverse of these responsibilities; for example, users have a right to be clearly and intelligibly informed when their data is being collected. Others, like the right to a copy of your data, are designed to give users more control over their digital selves. Some of the rights could have a profound impact, like the “right to erasure,” which gives users the power to demand collected data be deleted from companies’ systems, and a family of rights related to “automated individual decision-making” that protect users from the vagaries of algorithmic decisions. If, say, a GDPR-protected user applies for a bank loan online and is denied based on the automated, data-based calculations of the bank’s system, he or she has the right to contest that decision, to demand human intervention, and, most important, to insist on regular audits of those algorithms. (It’s significant that the bank is also obligated to make the applicant aware of those rights.)" (