With less than a month before the EU’s GDPR (General Data Protection Regulation) becomes law, Buttarelli said the tone of the emails of many organisations updating their privacy policies leaves a lot to be desired.
‘If this encounter seems a “take it or leave it” proposition – with perhaps a hint of menace – then it is a travesty of at least the spirit of the new regulation’
– GIOVANNI BUTTARELLI
“The digital information ecosystem farms people for their attention, ideas and data in exchange for so-called ‘free’ services,” Buttarelli said.
“Unlike their analogue equivalents, these sweatshops of the connected world extract more than one’s labour and, while clocking into the online factory is effortless, it is often impossible to clock off.
“I am reminded of this state of affairs by the recent stream of messages from online service providers about changes to their terms and conditions and privacy policies. The messages vary of course, and some explicitly cite the GDPR – fully applicable in less than a month’s time – as the reason for the change. Failure to accept the new terms by 25 May, we are told, will mean we can no longer use these services.”
Trust and control are central tenets of GDPR
Buttarelli said that often, these emails are nothing more than a cynical data-collection exercise.
“For most people outside the esoteric data protection bubble, this represents first contact with the new dispensation of digital rights and obligations in the EU. If this encounter seems a ‘take it or leave it’ proposition – with perhaps a hint of menace – then it is a travesty of at least the spirit of the new regulation, which aims to restore a sense of trust and control over what happens to our online lives.”
He said that the most recent Cambridge Analytica scandal has served to expose a “broken and unbalanced” ecosystem that is reliant on unscrupulous personal data collection and microtargeting, for whatever purposes, promising to generate clicks and revenues.
“As the state of things digital becomes gradually clearer, there are already noises suggesting that if you object to being tracked in exchange for the ‘free’ services on which many of our lives now depend, then the only alternative is to pay.
“But the fundamental right to privacy and related freedoms like free speech and non-discrimination apply to all; they cannot be the exclusive privilege of those who can afford to pay.
“The positive takeaway from all of this is not simply that data protection has suddenly become trendy. Regard for online privacy is now firmly a part of the PR toolkit of any organisation which cares about its customers and reputation.”
Buttarelli said that the big risk, however, is a growing gulf between hyperbole and reality, “where controllers learn to talk a good game while continuing with the same old harmful habits which the EU legislator has been attempting to dispel with the GDPR and other ongoing reforms, notably the ePrivacy Regulation”.
He also dismissed claims that GDPR will only favour big companies. He said the broader reality is that accountability and obligations within GDPR are scalable.
“Controllers responsible for personal data processing on a massive scale, involving data of the most sensitive nature, face by far the biggest challenge in demonstrating the lawfulness and indeed ethical grounds for what they have been doing over the last decade or two.
“The GDPR is, essentially, about accountability of controllers, safeguards for individuals, including giving them more control over what happens to their data. Its greater goal is to protect individuals, not companies,” Buttarelli said.