Laptop on desk GDPR

Why should the GDPR matter to you?

Today, the European Union’s General Data Protection Regulation (GDPR) will come into effect, meaning all companies that do business in the European Union will have new privacy data compliance regulations for the first time in around twenty years. The new regulation’s  ramifications are pervasive for consumers and data handling companies both in and out of the E.U..

Why should people outside the E.U. care?

Consumers in the U.S.  may want to glance over these new rule changes because  new policies directly the E.U. However, many companies that must adhere to GDPR with their privacy policies intersect with companies that handle privacy data for a global client base. This presents an opportunity for these companies to streamline their policies so that American consumers reap benefits of GDPR compliance. Microsoft recently confirmed such a trend, declaring that they will apply GDPR regulations for Microsoft consumers worldwide.

These new regulations impact U.S. business owners as well, regardless of their size. These business owners must make sure the GDPR protects their European client base. Lastly, the GDPR provides opportunity for each company to examine its own statutes that protect of citizens’ personal data. To support this noton, the regulations include provisions that restrict  data transfer outside of the E.U..  This provision targets countries that fail to achieve an “appropriate level of protection.”

What does it mean to be GDPR compliant?

While it’s hard to dispute the importance of all businesses and consumers understanding the importance of GDPR compliance, it’s just as hard to understand what constitutes being GDPR compliance. GDPR compliance can be broken down into the responsibilities held by companies in the two major roles of data handling: the responsibilities of the data controller, and the responsibilities of the data processor.

Compliance: Data Controllers

Data controllers are the entities that controls and claims responsibility for the usage of personal data, both electronic and analog. Under GDPR, the data controller holds the burden to create a contract with each of its data processors.

To achieve GDPR compliance, companies must disclose their basis for companies to process clients’ personal information in privacy policies. Companies must also disclose the ways that they gather and process personal information. Data controllers must allow customers to opt out of profiling or individual automated-decision making, features that make decisions for customers without human involvement; an example of individual-automated decision making is the recommended items feature that firms like Amazon and Google utilize. The GDPR specifies that data controllers must provide customers equally accessible means to withdraw consent as it was for them to initially give consent to the control of their personal data. Data controllers must receive consent from a legal guardian to process data for children under the age of sixteen. Lastly, the GDPR mandates that any high-risk processing is subject to a Data Protection Impact Assessment (DPIA).

Compliance: Data Processors

Data processors are the entities that process data at the request of a data controller. Where the data controller makes decisions on the use of personal data, the data processor carries out that usage, but does not house any control over that data. GDPR requires data processors to disclose any sub-processors it uses in its privacy policy. GDPR also requires that data processors train their staff in data protection.

Compliance: Shared Duties

The most significant shared duties that data processors and data controllers must uphold deal with new protections for E.U. citizens. The GDPR grants customers the right to easily request access and update their personal information; they can also easily request that controllers delete their personal data and processors. Companies must also automatically discard unnecessary personal data. Customers can also request that controllers deliver their data to themselves or an independent third party. To maintain accountability, both data processors and data controllers must appoint Data Protection Officer (DPO) to oversee the data protection strategy and ensure that their company is maintaining GDPR compliance.

Consequences for non-compliance?

If firms fail to prove that they are following the rules set by the GDPR. Failing to reach these compliance regulations incurs fines up to 4% of their global revenue €20 million ($23.4 million). Regulators will take the larger of the two fines.

What does this mean for personal data regulation?

For the customer of a controller of personal data, the pervasive nature of the GDPR regulation ensures that customers have the means to hold these controllers accountable. Data breaches allow for private information to be collected for unknown use without consent. Facebook’s breach impacted upwards of 87 million of its users and accountability for its role in the breach as a data controller could only be realized after the breach occurred. In Facebook’s case, it took around two years for the knowledge of this breach to be made public. GDPR’s expansion of explicit protections and rights for customers of these companies shifts agency to the consumer.

Under GDPR personal data regulations, Facebook, as a data controller, would evaluate high-risk processing initiatives using the DPIA evaluation process, safeguarding consumers against data processors that may take personal data into their own control. The required disclosure of data controllers’ associated processors and gathering methods  grants the consumer two foreseen protections. Consumers can trace their data beyond the data controller to processors and subprocessors. In doing so, controllers can no longer anonymously incorporate consumer data into trend analysis.

Potential Limitations to the GDPR

The expansive breadth of the GDPR’s territorial and material scope, these guidelines may potentially draw an interesting line regarding privacy regulations for the future. Where digital data controllers, can simply scrub their data of personal information to keep doing trend research, analog controllers do not have the same ability. The GDPR does not restrict companies that must adhere to regulations by size.  This means that independent contractors that handle small-scale analog data still are subject to these data regulations and fines.

Experts do not know how to resolve conflicts between GDPR compliance and foreign legislature. A country that companies store billing receipts for a certain period of time may not allow their companies that distribute to E.U. citizens to scrub personal data despite consumers’ requests. The line of where personal data ends is also unclear; a person’s face (used for facial recognition software) constitutes personal data and may be subject to GDPR protections. Lastly, while consumers can ask that personal data be scrubbed as part of their “right to be forgotten,” companies still have algorithms, that they exclusively own rights to, that identify a past consumer and prospect them on platforms. In a sense, the damage may already be done.

open street- parked-cars-street

Are driverless cars the future of transportation?

Imagine how your daily commute to work or even to visit relatives states away could be transformed if your car took care of the driving for you. In several years, this could be a reality through driverless cars. Many assisted-driver systems exist in the automobile market today. Cruise control, automatic braking, collision avoidance, and lane keeping are common additions to current automobiles. 

This technology has been commonly accepted for years. The next step is driverless cars. There is a significant difference between assisted-driver systems and and automated driver systems. Drivers are expected to remain alert when operating assisted-driver systems, but with automated-driver or driverless systems, drivers could essentially become passengers, and would even be able to devote their attention to a completely separate task, such as reading a book or catching up on their favorite show on Netflix.

Major Players in the Space:

General Motors and Waymo are currently leaders in the development of driverless cars. Several years ago, GM acquired Cruise, a self-driving startup, with which the Cruise AV (a modified version of Chevrolet Bolt EV) was adapted. The vehicles are currently being tested in San Francisco and in the suburbs of Phoenix. GM recently filed a safety petition with the US Department of Transportation to put the Cruise AV on the market in 2019. Cruise AV do not comply with a number of federal safety standards, but GM argues that exceptions need to be made for driverless cars, which cannot and should not need to conform to “human-driver-based requirements” to be safe. The Cruise AV does not have a steering wheel, pedals, or any other manual controls. GM President Dan Ammann asserts that a car without a steering wheel cannot have a steering wheel airbag, for example. As driverless cars are introduced into the market, safety regulations need to be updated to reflect their differences from driver-operated cars.

Waymo began as a part of Google X, a Google research unit, in 2009. In 2016, Google made its driverless car project a separate entity under Google named Waymo.  In 2015, Waymo conducted a driverless car’s first completely independent trip, when Steve Mahan, a legally blind man, was transported from a park to a doctor’s office. In 2017, Waymo partnered with Intel and Chrysler, adopting their Pacifica Hybrid minivans.

Waymo’s driverless cars afford many safety features, including braking and backup steering. The company has been developing its driverless cars for years. Testing them with test drivers at the wheel, now, Waymo’s Chrysler Pacificas are operating completely independently in Phoenix’s metropolitan area through the Early Rider Program. Residents of Phoenix can apply to be part of the Early Rider Program and use Waymo’s driverless Chrysler Pacificas in their everyday lives, providing feedback on their experiences. Recently, Waymo also partnered with Lyft, the second largest ride-hailing service in the United States, after Uber. The companies did not release many details regarding their plans together, but we can anticipate that the future of ride-hailing might not include drivers.

Uber has also taken steps to begin using driverless cars. The company recently made a deal with Volvo in which they will purchase 24,000 of its XC90 SUVs between 2019 and 2021. The XC90 is the base of Uber’s current self-driving test car. The cars are installed with autonomous driving technology after purchase. Uber has already been using XC90s for testing in Pittsburgh, and Uber also made a deal to include Mercedes-Benz in their operations at some point. However, Uber’s progress was threatened when the company was sued by Waymo, which claimed that Uber stole trade secrets regarding driverless cars. The competition between the two companies, and among smaller companies, is tremendous, considering that these companies may reinvent the ride-hailing industry.

The possibility of driverless cars both excites and scares most people.

How People Feel About Driverless Cars:

The potential reality of seemingly futuristic technology is enthusing, but there are also several causes for concern. A CARAVAN poll found that 64% of respondents are concerned by sharing the road with driverless cars, while a separate study conducted by the Pew National Research Center concluded that 56% of respondents would not ride in a self-driving vehicle. Much of this scepticism can be attributed to doubt regarding the safety of automated-driving technology and if a computer is really capable of making quick decisions on the road the way a person is. However, about 90% of automobile accidents are attributed to human error, which leads us to believe that if you take drivers out of the equation, the road might be a safer place.

Another concern is the direct effects of driverless cars on people. For instance, as automated-driver technology becomes the norm, people will not need to learn how to drive anymore, resulting in the loss of another skill. If driverless cars begin to dominate the transportation industry, whether that be through ride hailing or through public transportation, a whole industry of people will lose their professions.

Cyber Security:

Perhaps the greatest issue with driverless cars is the possibility that they could be hacked and and controlled remotely. Already, modern cars come with internet connection and bluetooth to operate navigation and entertainment systems, which leave them somewhat vulnerable to cyberattack. In 2015, security researchers Chris Valasek and Charlie Miller hacked into a 2014 Jeep Cherokee, remotely stopping the car on highway I-64. They were even able to control the car’s steering, or disable the breaks completely when the car was going at a very low speed. Chrysler recalled 1.4 million vehicles and updated their security following this incident. Although assisted-driver systems are already at risk of being hacked or otherwise manipulated, automated-driver systems share this danger, but with greater implications.

Attacks on assisted-driver systems are dangerous, but do not necessarily have to be disastrous–if the driver is paying attention. For example, a hacked steering system can be overpowered by a driver forcefully turning the steering wheel in his desired direction. However, in an automated-driver system, when there is no one to mitigate such an attack.

Similarly, collision-avoidance technology could be manipulated in several ways. In 2016, researchers at CMU found that glasses with a certain pattern can defeat advanced recognition algorithms, causing a vehicle not to recognize a person in its path. Researchers at the University of South Carolina, Zhejiang University in China, and the Chinese security firm Qihoo 360 all found that sensors on the Tesla S could be confused. Exposing the car to a variety of radio, sound, and light emitting tools, caused the sensors to fail to recognize objects in the vehicle’s path. Although normalizing automated-driving technology is risky, there are many benefits, notably convenience and the safety that comes with eliminating human error.

As we enter the unknown world of self-driving cars, it is important to remain cautious, but also open to new possibilities.

To learn more about the legality of technology in our world visit  The LawDecoder 

What are the consequences of the loss of net neutrality for consumers and startups?

So what is net neutrality?

The topic of net neutrality has dominated the internet for weeks. Many people have been speculating the implications of net neutrality in both the news and on social media. Will we have to pay more to access our favorite websites? Are startups and small businesses doomed? Is the internet as we know it gone forever? While net neutrality is a valid cause for concern, I wouldn’t start mourning the death of the internet just yet.

In 2015, the Federal Communications Commission established net neutrality regulations. High-speed internet was reclassified from an information to a telecommunications service. Information services are subjected to less regulation than telecommunications services, which can be regulated under Title II of the Communications Act. These rules were established to protect the open Internet, prohibiting Internet service providers (ISPs) from promoting some content over other content unfairly.

What may happen?

Without net neutrality regulations, this could occur in several ways, including paid prioritization, in which a content owner pays an ISP to promote its content over other content or to install “fast lanes” to their website. An ISP could also prioritize their own content, or block certain websites, such as those of competitors.

How did net neutrality get repealed? 

On December 14, 2017, the FCC repealed these net neutrality regulations. The Federal Communications Commission’s chairman, Ajit Pai, and two other Republican commissioners voted against net neutrality, granting them the majority at 3-2. The supposed benefit of repealing net neutrality regulations is to promote competition among Internet providers. Supporters of the repeal of net neutrality regulations suggest that internet service providers will not reduce consumers’ internet capabilities, but promote innovation and reasonable prices. Major internet providers such as Comcast and AT&T claim that our internet experience will not change drastically and that they will not engage in most forms of paid prioritization. However, many of us remain skeptical.

History of net neutrality

Throughout the internet, a cause for concern was established due to the behavior of ISPs before the 2015 regulations were put into place. In 2005, CompTel, a trade association consisting of AT&T’s competitors, requested documents from the FCC regarding AT&T’s potential overcharging of the agency for a project. AT&T dissented on the grounds of “personal privacy” under the Freedom of Information Act (FOIA). In 2009,  a Third Circuit federal appeals court ruled in FCC v. AT&T Inc. that corporations are entitled to personal privacy because they are considered persons under other sections of FOIA. The case was appealed, and the Supreme Court overturned the lower court decision, stating that corporations do not have the personal privacy that could protect them from the release of public records obtained by a government agency.

Several years later, Comcast was found to have been slowing its customers’ access to BitTorrent, a “peer-to-peer” file-sharing service. BitTorrent is one of the most commonly used means of sharing large electronic files, including audio and video files. The FCC attempted to regulate this practice but in Comcast Corp. v. FCC (2010), a federal appeals court ruled that the FCC does not have the authority to regulate Internet providers by requiring them to treat all web traffic equally, citing the FCC’s failure to demonstrate its “ancillary authority” over Comcast’s practices. That same year, the FCC approved the Open Internet Order, which barred internet providers from preventing access to certain websites (such as competitor websites). In 2012, AT&T faced backlash after blocking the FaceTime app on the phones of customers with certain data plans. The FCC charged AT&T a fine and eventually users were able to continue using the app. The actions of ISPs throughout the years make it very uncertain that we will continue to be able to view content without restrictions.

Actual Consequences

Although it is true that the internet as we know it is not going to change overnight, over time, the repeal of net neutrality regulations could cause significant changes for both consumers and startups/small businesses. Service providers like Comcast or AT&T could decide to charge companies to deliver more web traffic from the websites’ servers. Such service providers could also create faster lanes of delivery for their own sites so that consumers will have more difficulty viewing competitors’ sites. Companies (e.g Amazon, Netflix) could decide to charge their customers extra money in order to compensate for their payments to internet service providers, potentially increasing our internet bills drastically.

It seems unlikely that the repeal of net neutrality regulations will lead to meaningful increased competition, considering that a handful of corporations dominate internet service. Even more unnerving is the possibility of strict limitations on the content that we can view and the websites that we can use. If paid prioritization takes effect, and it is much faster and easier to access larger, more prominent companies online that can afford to pay for faster service, there are several dangerous implications for both consumers and small businesses. Limiting consumers’ access to websites of startups, small businesses, and small, independent news sources strips them of their consumer choice and their ability to stay informed.

Impact on Startups and Small Businesses

Furthermore, the absence of net neutrality could be detrimental to startups, which rely heavily on the internet to promote their products and gain a following. It is unlikely that startups will be able to compete with larger, more well-known businesses if internet service providers decide to start charging websites for service. Contrary to its supposed intention, the elimination of net neutrality will hamper innovation and competition.

While the idea of paying more for internet service is unappealing to most people, the most concerning aspect of deregulating the internet is the absence of information and choice that will affect all of us. Thanks to the open internet, we have been able to view the information we want from a plethora of sources. Without the open internet, we will see whatever the largest few ISPs, such as Comcast and AT&T, want us to see. While other sources of information, such as newspapers, do exist and are important, they do not reach everyone to the extent that the Internet does.

The Internet allows us to both access and shares the most recent information in seconds. It provides a connection among peers and between citizens and government. Without the open Internet, a restriction of freedom exists. However, there is still hope for net neutrality. Democratic Senator Chuck Schumer (New York) has suggested that he will force a Congressional vote on net neutrality by using the Congressional Review Act (CRA). It is likely that there will also be multiple lawsuits against the FCC. Now, during these essential first moments, is the time to be proactive in order to preserve net neutrality.


What ShopRite Taught Me About Milk

Ever since I found out drinking regular milk gives me the most painful stomach aches, I have always used milk substitutes in my everyday life. In coffee shops, I ask for soy milk in my coffee. Whenever I find myself in an ice cream shop, I make sure to look for non-dairy options. Before I bake anything, I make sure I have enough almond milk in the fridge. Once I made the mistake of mixing my almond milk with a little bit of regular milk to make the right amount of pancakes, and I couldn’t stand up straight for the rest of the day because of the pain.

So, here I am: a twenty-one year old, lactose-intolerant college student, living in the center of Philadelphia. The problem with this is that I am living in the second city in the United States to institute a sugar tax on beverages, including milk substitutes.

Yes. The city of Philadelphia is raising the prices of certain almond, cashew, soy milks for the same reason it is taxing people for the sugar in soda. As someone with a food intolerance, I find it unfair to raise the prices of products that help people avoid pain and a trip to the hospital. And I certainly didn’t understand why the price labels for certain “original” flavored milk-substitutes in grocery stores include additional tax when the Philadelphia Beverage Tax website explicitly states, “Unsweetened nut and plant milks are not taxable.”

It took a lot of trips to the closest grocery store, which for me is ShopRite, to figure out the nuances of this recently established tax. It quickly became clear that the flavor titles, such as “original” and “vanilla,” mean very different things across various brands. For example, Pacific’s Vanilla Almond Milk is unsweetened, and therefore, is exempt from the beverage tax, but the Almond Breeze’s Vanilla Almond Milk includes a $0.48 tax in its price.

philly beverage tax, soda tax, allergies, lactose intolerance


A more confusing example of the labeling contradiction on milk-substitutes cartons is the use of the term, “original.” Within the Wholesome Pantry brand, the Original Soymilk is not affected by the tax, whereas the Original Almondmilk is charged an additional $0.96. The only consistent aspect of this labeling fiasco is that it is entirely inconsistent. Wholesome Pantry, Silk, Almond Breeze, and WestSoy all have unsweetened products that are exempt from the beverage tax, however some other non-dairy products they offer are taxed.

The Philadelphia Beverage Tax website explains which drinks are subjected to the tax. It says:

Sweetened nut and plant milks are taxable unless the USDA has deemed them nutritionally equivalent to dairy milk and that nut or plant milk is 50% or more of the finished beverage. Unsweetened nut and plant milks are not taxable.

The website, however, fails to mention that the names of flavors is not indicative of whether or not the product is pre-sweetened. Unlike the categories of dairy milk (skim, 2%, whole) which are clearly defined, the categories of nut and plant milks are not subject to standardized definitions. Unless you are familiar with the names of sweeteners, there is no quick method of determining if the products you are buying are correctly taxed.

If you suspect any mistakes in the pricing of your beverages, you can call to notify your local and state Director of Consumer Protection. (


All Publicity is not Necessarily Good Publicity

“Defendants childishly demeaned and disparaged Mr. Murray and his companies, made jokes about Mr. Murray’s age, health, and appearance, [and] broadcasted false statements… Nothing has ever stressed him more than this vicious and untruthful attack.” This quote is from Bob Murray’s defamation lawsuit against John Oliver, the host of HBO’s Last Week Tonight. Just three days after the episode about the coal industry aired on television, Oliver was accused of assassinating the character and reputation of the CEO of Murray Energy.

When comparing what Oliver had said about Murray to the insults of others (the notorious late Joan Rivers once said Tommy Lee Jones “makes Hitler look warm and fuzzy”), his comments comparing Murray to a “geriatric Dr. Evil” seem mild, and maybe even harmless. Especially in the age of media and the Internet, worse things have been said about other individuals. So you may be wondering: when is it legal to say whatever you want about another person on live TV or in the press?

Let’s talk about the distinction between defamation law and protected speech under the First Amendment. If a person can prove that his/her statement is a true fact, it is protected under the First Amendment. Additionally, statements of puffery (language that no reasonable person would believe to be true) are allowable. It is only false statements that run the risk of falling under the legal category of defamation.

Statements known to be false before their delivery can be considered defamatory. If someone says something false about another but it has no impact on their reputation, it wouldn’t be a legal issue. However, if the false statement had a profound impact on the public’s opinion on the victim, it would be defamation. Even opinions aren’t necessarily protected speech. It’s slander to knowingly spread a lie, even if it is prefaced by “in my opinion….”

In the age of social media where anyone can be a publisher and upload material for the whole world to see, defamatory statements are no longer limited to the rich and/or famous. “Regular” people are now becoming victims of defamation. Let’s take memes, for example. Memes have become an integral piece of pop culture, allowing people to communicate with friends by sending them photos with a relatable and/or humorous caption. But where do the photos from these memes come from? Often photos of people are taken from the internet without their knowledge or permission and are put in a completely different context for the sake of comedic effect. When the punchline of the meme is insulting and damages to the reputation of the person in the photo, it can be seen as defamatory.

Adam Holland, a man with Down Syndrome from Nashville, Tennessee, became the victim of a vicious thread of memes when people found a photo of him holding a drawing of a football team reading “Go Titans,” and photoshopped it. One man in Minnesota posted the image to Flickr and replaced Holland’s words with “I got a boner.” A radio station in Florida posted the image on their website with the title “Retarded News.” Michael Sharkey, program director of the station, explained that they used the photo as a banner for their news segment “designed to highlight odd stories that are seemingly always in the news.” The Holland family sued on the grounds that the doctored photo of Adam was defamatory, deceptive, and misleading. They were awarded $150,000 in federal court.

Defamation may be ubiquitous online in the age of social media, but that does not excuse it under the law. The Holland family’s case demonstrates that you don’t need to be a politician, actor, or business mogul, to be compensated for defamatory statements. Defamation law is by nature very subjective so the process of resolving these cases is not always clear. It’s important to know that protections from defamatory statements exist, but it is not always clear cut if something is “damaging to a person’s reputation.” Ultimately, it is up for a jury to decide whether a statement is defamatory or not.