Laptop on desk GDPR

Why should the GDPR matter to you?

Today, the European Union’s General Data Protection Regulation (GDPR) will come into effect, meaning all companies that do business in the European Union will have new privacy data compliance regulations for the first time in around twenty years. The new regulation’s  ramifications are pervasive for consumers and data handling companies both in and out of the E.U..

Why should people outside the E.U. care?

Consumers in the U.S.  may want to glance over these new rule changes because  new policies directly the E.U. However, many companies that must adhere to GDPR with their privacy policies intersect with companies that handle privacy data for a global client base. This presents an opportunity for these companies to streamline their policies so that American consumers reap benefits of GDPR compliance. Microsoft recently confirmed such a trend, declaring that they will apply GDPR regulations for Microsoft consumers worldwide.

These new regulations impact U.S. business owners as well, regardless of their size. These business owners must make sure the GDPR protects their European client base. Lastly, the GDPR provides opportunity for each company to examine its own statutes that protect of citizens’ personal data. To support this noton, the regulations include provisions that restrict  data transfer outside of the E.U..  This provision targets countries that fail to achieve an “appropriate level of protection.”

What does it mean to be GDPR compliant?

While it’s hard to dispute the importance of all businesses and consumers understanding the importance of GDPR compliance, it’s just as hard to understand what constitutes being GDPR compliance. GDPR compliance can be broken down into the responsibilities held by companies in the two major roles of data handling: the responsibilities of the data controller, and the responsibilities of the data processor.

Compliance: Data Controllers

Data controllers are the entities that controls and claims responsibility for the usage of personal data, both electronic and analog. Under GDPR, the data controller holds the burden to create a contract with each of its data processors.

To achieve GDPR compliance, companies must disclose their basis for companies to process clients’ personal information in privacy policies. Companies must also disclose the ways that they gather and process personal information. Data controllers must allow customers to opt out of profiling or individual automated-decision making, features that make decisions for customers without human involvement; an example of individual-automated decision making is the recommended items feature that firms like Amazon and Google utilize. The GDPR specifies that data controllers must provide customers equally accessible means to withdraw consent as it was for them to initially give consent to the control of their personal data. Data controllers must receive consent from a legal guardian to process data for children under the age of sixteen. Lastly, the GDPR mandates that any high-risk processing is subject to a Data Protection Impact Assessment (DPIA).

Compliance: Data Processors

Data processors are the entities that process data at the request of a data controller. Where the data controller makes decisions on the use of personal data, the data processor carries out that usage, but does not house any control over that data. GDPR requires data processors to disclose any sub-processors it uses in its privacy policy. GDPR also requires that data processors train their staff in data protection.

Compliance: Shared Duties

The most significant shared duties that data processors and data controllers must uphold deal with new protections for E.U. citizens. The GDPR grants customers the right to easily request access and update their personal information; they can also easily request that controllers delete their personal data and processors. Companies must also automatically discard unnecessary personal data. Customers can also request that controllers deliver their data to themselves or an independent third party. To maintain accountability, both data processors and data controllers must appoint Data Protection Officer (DPO) to oversee the data protection strategy and ensure that their company is maintaining GDPR compliance.

Consequences for non-compliance?

If firms fail to prove that they are following the rules set by the GDPR. Failing to reach these compliance regulations incurs fines up to 4% of their global revenue €20 million ($23.4 million). Regulators will take the larger of the two fines.

What does this mean for personal data regulation?

For the customer of a controller of personal data, the pervasive nature of the GDPR regulation ensures that customers have the means to hold these controllers accountable. Data breaches allow for private information to be collected for unknown use without consent. Facebook’s breach impacted upwards of 87 million of its users and accountability for its role in the breach as a data controller could only be realized after the breach occurred. In Facebook’s case, it took around two years for the knowledge of this breach to be made public. GDPR’s expansion of explicit protections and rights for customers of these companies shifts agency to the consumer.

Under GDPR personal data regulations, Facebook, as a data controller, would evaluate high-risk processing initiatives using the DPIA evaluation process, safeguarding consumers against data processors that may take personal data into their own control. The required disclosure of data controllers’ associated processors and gathering methods  grants the consumer two foreseen protections. Consumers can trace their data beyond the data controller to processors and subprocessors. In doing so, controllers can no longer anonymously incorporate consumer data into trend analysis.

Potential Limitations to the GDPR

The expansive breadth of the GDPR’s territorial and material scope, these guidelines may potentially draw an interesting line regarding privacy regulations for the future. Where digital data controllers, can simply scrub their data of personal information to keep doing trend research, analog controllers do not have the same ability. The GDPR does not restrict companies that must adhere to regulations by size.  This means that independent contractors that handle small-scale analog data still are subject to these data regulations and fines.

Experts do not know how to resolve conflicts between GDPR compliance and foreign legislature. A country that companies store billing receipts for a certain period of time may not allow their companies that distribute to E.U. citizens to scrub personal data despite consumers’ requests. The line of where personal data ends is also unclear; a person’s face (used for facial recognition software) constitutes personal data and may be subject to GDPR protections. Lastly, while consumers can ask that personal data be scrubbed as part of their “right to be forgotten,” companies still have algorithms, that they exclusively own rights to, that identify a past consumer and prospect them on platforms. In a sense, the damage may already be done.

What are the consequences of the loss of net neutrality for consumers and startups?

So what is net neutrality?

The topic of net neutrality has dominated the internet for weeks. Many people have been speculating the implications of net neutrality in both the news and on social media. Will we have to pay more to access our favorite websites? Are startups and small businesses doomed? Is the internet as we know it gone forever? While net neutrality is a valid cause for concern, I wouldn’t start mourning the death of the internet just yet.

In 2015, the Federal Communications Commission established net neutrality regulations. High-speed internet was reclassified from an information to a telecommunications service. Information services are subjected to less regulation than telecommunications services, which can be regulated under Title II of the Communications Act. These rules were established to protect the open Internet, prohibiting Internet service providers (ISPs) from promoting some content over other content unfairly.

What may happen?

Without net neutrality regulations, this could occur in several ways, including paid prioritization, in which a content owner pays an ISP to promote its content over other content or to install “fast lanes” to their website. An ISP could also prioritize their own content, or block certain websites, such as those of competitors.

How did net neutrality get repealed? 

On December 14, 2017, the FCC repealed these net neutrality regulations. The Federal Communications Commission’s chairman, Ajit Pai, and two other Republican commissioners voted against net neutrality, granting them the majority at 3-2. The supposed benefit of repealing net neutrality regulations is to promote competition among Internet providers. Supporters of the repeal of net neutrality regulations suggest that internet service providers will not reduce consumers’ internet capabilities, but promote innovation and reasonable prices. Major internet providers such as Comcast and AT&T claim that our internet experience will not change drastically and that they will not engage in most forms of paid prioritization. However, many of us remain skeptical.

History of net neutrality

Throughout the internet, a cause for concern was established due to the behavior of ISPs before the 2015 regulations were put into place. In 2005, CompTel, a trade association consisting of AT&T’s competitors, requested documents from the FCC regarding AT&T’s potential overcharging of the agency for a project. AT&T dissented on the grounds of “personal privacy” under the Freedom of Information Act (FOIA). In 2009,  a Third Circuit federal appeals court ruled in FCC v. AT&T Inc. that corporations are entitled to personal privacy because they are considered persons under other sections of FOIA. The case was appealed, and the Supreme Court overturned the lower court decision, stating that corporations do not have the personal privacy that could protect them from the release of public records obtained by a government agency.

Several years later, Comcast was found to have been slowing its customers’ access to BitTorrent, a “peer-to-peer” file-sharing service. BitTorrent is one of the most commonly used means of sharing large electronic files, including audio and video files. The FCC attempted to regulate this practice but in Comcast Corp. v. FCC (2010), a federal appeals court ruled that the FCC does not have the authority to regulate Internet providers by requiring them to treat all web traffic equally, citing the FCC’s failure to demonstrate its “ancillary authority” over Comcast’s practices. That same year, the FCC approved the Open Internet Order, which barred internet providers from preventing access to certain websites (such as competitor websites). In 2012, AT&T faced backlash after blocking the FaceTime app on the phones of customers with certain data plans. The FCC charged AT&T a fine and eventually users were able to continue using the app. The actions of ISPs throughout the years make it very uncertain that we will continue to be able to view content without restrictions.

Actual Consequences

Although it is true that the internet as we know it is not going to change overnight, over time, the repeal of net neutrality regulations could cause significant changes for both consumers and startups/small businesses. Service providers like Comcast or AT&T could decide to charge companies to deliver more web traffic from the websites’ servers. Such service providers could also create faster lanes of delivery for their own sites so that consumers will have more difficulty viewing competitors’ sites. Companies (e.g Amazon, Netflix) could decide to charge their customers extra money in order to compensate for their payments to internet service providers, potentially increasing our internet bills drastically.

It seems unlikely that the repeal of net neutrality regulations will lead to meaningful increased competition, considering that a handful of corporations dominate internet service. Even more unnerving is the possibility of strict limitations on the content that we can view and the websites that we can use. If paid prioritization takes effect, and it is much faster and easier to access larger, more prominent companies online that can afford to pay for faster service, there are several dangerous implications for both consumers and small businesses. Limiting consumers’ access to websites of startups, small businesses, and small, independent news sources strips them of their consumer choice and their ability to stay informed.

Impact on Startups and Small Businesses

Furthermore, the absence of net neutrality could be detrimental to startups, which rely heavily on the internet to promote their products and gain a following. It is unlikely that startups will be able to compete with larger, more well-known businesses if internet service providers decide to start charging websites for service. Contrary to its supposed intention, the elimination of net neutrality will hamper innovation and competition.

While the idea of paying more for internet service is unappealing to most people, the most concerning aspect of deregulating the internet is the absence of information and choice that will affect all of us. Thanks to the open internet, we have been able to view the information we want from a plethora of sources. Without the open internet, we will see whatever the largest few ISPs, such as Comcast and AT&T, want us to see. While other sources of information, such as newspapers, do exist and are important, they do not reach everyone to the extent that the Internet does.

The Internet allows us to both access and shares the most recent information in seconds. It provides a connection among peers and between citizens and government. Without the open Internet, a restriction of freedom exists. However, there is still hope for net neutrality. Democratic Senator Chuck Schumer (New York) has suggested that he will force a Congressional vote on net neutrality by using the Congressional Review Act (CRA). It is likely that there will also be multiple lawsuits against the FCC. Now, during these essential first moments, is the time to be proactive in order to preserve net neutrality.

technology

Does the iPhone X’s Face ID Put Your Privacy at Risk?

With current technology, we are left with almost nothing to wish for. A decade ago, the services available to us now would be unfathomable. Today, you can have groceries, a professional massage, or a latte delivered to your door in minutes just by using your smartphone.

Smart Phone Revolution

With the release of the iPhone X, facial recognition software has become a popular topic of discussion. On Apple’s website, the features are described as “some of the most sophisticated technology we’ve ever developed,” including “cameras and sensors that enable Face ID.” However, the continuous development of this type of technology, is accompanied by privacy concerns. Making us wonder if unlocking our phones so easily is really worth it.

Facial recognition in the Samsung Galaxy 8 can be easily manipulated with a photo of the phone’s owner.  Apple claims that such a breach of privacy is not possible with the iPhone X.

The iPhone X’s “True Depth Camera” works by analyzing 30,000 individual points on your face, creating both a facial map and an in-depth image of your face. Apple assures users that facial data for unlocking the iPhone X will only be stored in the phone itself. Yet, thousands of third-party app developers can access to some of this facial data. 

Sharing data with app developers is not alone enough to unlock a phone. Privacy activists though are wary of granting access to something as intimate as your face, to thousands of people.

Concerns about people unlocking your phone or being forced to unlock your phone under duress of law enforcement or an abusive partner are legitimate. There is always the possibility that another person could force you to reveal your four-digit passcode. New technologies  like Face ID and Touch ID  now just make it more feasible.

Case Law

Until there is more case law regarding Face ID, we won’t know its exact legal implications. However, a judging from a recent Minnesota case, technology such as Face ID and Touch ID cannot protect your phone from law enforcement. The case, State vs. Diamond, ruled that, when a court has issued a warrant allowing police to search a phone, a suspect can be compelled to unlock his phone with his fingerprint. Fingerprints, unlike passcodes, are not protected by the Fifth Amendment right against self-incrimination. 

The court reason that being compelled with a warrant to unlock a phone via Touch ID is similar to being compelled to give a blood sample, and does not require a person to reveal any knowledge that could be considered self-incriminating.

Facial recognition technology is not limited to the iPhone X. Experiments utilize it in order to attempt to reduce airport lines, prevent voter fraud, and provide better quality CCTV. As technology continues to develop, we need to weigh the costs of losing privacy against convenience and accessibility.

 

technology

Don’t Feed the Trolls

Social media has taken over our lives, for better or worse. It’s where we go to see the news, share our meals, and express how we’re feeling about the latest sporting events. We send pictures, post reaction GIFs, and make sure that we are up to date with all of our friends. We create, collaborate, and communicate, at all times. We doze off to sleep on our Facebook feeds each night and wake up to greet Snapchat stories each morning. Social media has connected the world, but it has also introduced us to new means of harassment, permeating from message boards into homes, schools, and even the workplace.

When discussing trolling and cyberbullying, some argue that the primary differentiator is reaction.  Users troll to provoke reactions from others, and to make them the topic of conversation.  Trolling behavior is usually confined to inflammatory Facebook, Reddit, YouTube, and Twitter commentary towards different fan-groups.  Most trolls do it sarcastically, and have no conviction in what they actually say. As noted in a Time Magazine cover story last year, “trolls don’t hate people as much as they love the game of hating people.”  The common solution is “Don’t Feed the Trolls” or, just ignore and block their posts because it doesn’t add to the conversation at hand.

Cyberbullying, on the other hand, can be characterized as a methodical attack on a small group or individual. Traditionally, cyberbullying involves a smaller audience, either via chat-rooms or directly through someone’s social media accounts. Typically, the instigator takes the situation seriously and has malicious intentions. “Social media is a great tool, but it can be used for good and it can be used for harm and destruction” Tyler Clementi’s mother’s words ring true, spoken years after her son was outed as homosexual on the internet and committed suicide in 2010. His roommate, Dharun Ravi, used a webcam to spy on Clementi and used social media to invite peers to watch a sexual encounter. The case drew international attention to the bullying of LGBT teenagers. Another case drew international traction in 2012 after the suicide of 15-year old Amanda Todd. Before her death, Todd uploaded a video describing the cyber-bullying and blackmailing that she suffered, including the non consensual sharing of nude photos. The YouTube clip gained millions of views and sparked an inter-generational dialogue over the prevalence of social media in the daily lives of young people and how that power can be used to cause devastating outcomes.

Despite these headlines and massive advocacy efforts, courts have been relatively divided when ruling on such cases.  Elonis v. US (2015) further muddled the dialogue, with the Supreme Court ruling 8-1 that a Facebook post of threatening lyrics was not enough to prove intent to harm.

When does trolling cross the line into cyberbullying? Is hate-speech free speech? When does an online threat become admissible in court? No one can deny that we’ve come a long way from Barlow’s 1996 Declaration of the Independence of Cyberspace which relies on the Golden Rule and asserts a world where “anyone, anywhere may express his or her opinion no matter how singular, without fear of being coerced into silence or conformity.” Despite the monumental changes and paradigm shifts in Internet culture over the last twenty years, there has yet to be a clear response in the courtrooms. We are at a crucial moment for the legal implications of cyberspeech. Major backlash during the most recent election cycle and subsequent circumstances has catapulted questions of the First Amendment back into the national dialogue. We lack clear case law up to this point, but courts will begin to set precedents for online interactions over the next few years and create the fine line that will separate trolling from cyberbullying.  Until then, the decision will continue to be left to the reader’s’ discretion, whether it be perpetrator, victim, lawyer, or judge.

*Disclaimer this is not legal advice but the experience of a non-attorney member of the Law Decoder community sharing a personal experience for entertainment purposes.