Laptop on desk GDPR

Why should the GDPR matter to you?

Today, the European Union’s General Data Protection Regulation (GDPR) will come into effect, meaning all companies that do business in the European Union will have new privacy data compliance regulations for the first time in around twenty years. The new regulation’s  ramifications are pervasive for consumers and data handling companies both in and out of the E.U..

Why should people outside the E.U. care?

Consumers in the U.S.  may want to glance over these new rule changes because  new policies directly the E.U. However, many companies that must adhere to GDPR with their privacy policies intersect with companies that handle privacy data for a global client base. This presents an opportunity for these companies to streamline their policies so that American consumers reap benefits of GDPR compliance. Microsoft recently confirmed such a trend, declaring that they will apply GDPR regulations for Microsoft consumers worldwide.

These new regulations impact U.S. business owners as well, regardless of their size. These business owners must make sure the GDPR protects their European client base. Lastly, the GDPR provides opportunity for each company to examine its own statutes that protect of citizens’ personal data. To support this noton, the regulations include provisions that restrict  data transfer outside of the E.U..  This provision targets countries that fail to achieve an “appropriate level of protection.”

What does it mean to be GDPR compliant?

While it’s hard to dispute the importance of all businesses and consumers understanding the importance of GDPR compliance, it’s just as hard to understand what constitutes being GDPR compliance. GDPR compliance can be broken down into the responsibilities held by companies in the two major roles of data handling: the responsibilities of the data controller, and the responsibilities of the data processor.

Compliance: Data Controllers

Data controllers are the entities that controls and claims responsibility for the usage of personal data, both electronic and analog. Under GDPR, the data controller holds the burden to create a contract with each of its data processors.

To achieve GDPR compliance, companies must disclose their basis for companies to process clients’ personal information in privacy policies. Companies must also disclose the ways that they gather and process personal information. Data controllers must allow customers to opt out of profiling or individual automated-decision making, features that make decisions for customers without human involvement; an example of individual-automated decision making is the recommended items feature that firms like Amazon and Google utilize. The GDPR specifies that data controllers must provide customers equally accessible means to withdraw consent as it was for them to initially give consent to the control of their personal data. Data controllers must receive consent from a legal guardian to process data for children under the age of sixteen. Lastly, the GDPR mandates that any high-risk processing is subject to a Data Protection Impact Assessment (DPIA).

Compliance: Data Processors

Data processors are the entities that process data at the request of a data controller. Where the data controller makes decisions on the use of personal data, the data processor carries out that usage, but does not house any control over that data. GDPR requires data processors to disclose any sub-processors it uses in its privacy policy. GDPR also requires that data processors train their staff in data protection.

Compliance: Shared Duties

The most significant shared duties that data processors and data controllers must uphold deal with new protections for E.U. citizens. The GDPR grants customers the right to easily request access and update their personal information; they can also easily request that controllers delete their personal data and processors. Companies must also automatically discard unnecessary personal data. Customers can also request that controllers deliver their data to themselves or an independent third party. To maintain accountability, both data processors and data controllers must appoint Data Protection Officer (DPO) to oversee the data protection strategy and ensure that their company is maintaining GDPR compliance.

Consequences for non-compliance?

If firms fail to prove that they are following the rules set by the GDPR. Failing to reach these compliance regulations incurs fines up to 4% of their global revenue €20 million ($23.4 million). Regulators will take the larger of the two fines.

What does this mean for personal data regulation?

For the customer of a controller of personal data, the pervasive nature of the GDPR regulation ensures that customers have the means to hold these controllers accountable. Data breaches allow for private information to be collected for unknown use without consent. Facebook’s breach impacted upwards of 87 million of its users and accountability for its role in the breach as a data controller could only be realized after the breach occurred. In Facebook’s case, it took around two years for the knowledge of this breach to be made public. GDPR’s expansion of explicit protections and rights for customers of these companies shifts agency to the consumer.

Under GDPR personal data regulations, Facebook, as a data controller, would evaluate high-risk processing initiatives using the DPIA evaluation process, safeguarding consumers against data processors that may take personal data into their own control. The required disclosure of data controllers’ associated processors and gathering methods  grants the consumer two foreseen protections. Consumers can trace their data beyond the data controller to processors and subprocessors. In doing so, controllers can no longer anonymously incorporate consumer data into trend analysis.

Potential Limitations to the GDPR

The expansive breadth of the GDPR’s territorial and material scope, these guidelines may potentially draw an interesting line regarding privacy regulations for the future. Where digital data controllers, can simply scrub their data of personal information to keep doing trend research, analog controllers do not have the same ability. The GDPR does not restrict companies that must adhere to regulations by size.  This means that independent contractors that handle small-scale analog data still are subject to these data regulations and fines.

Experts do not know how to resolve conflicts between GDPR compliance and foreign legislature. A country that companies store billing receipts for a certain period of time may not allow their companies that distribute to E.U. citizens to scrub personal data despite consumers’ requests. The line of where personal data ends is also unclear; a person’s face (used for facial recognition software) constitutes personal data and may be subject to GDPR protections. Lastly, while consumers can ask that personal data be scrubbed as part of their “right to be forgotten,” companies still have algorithms, that they exclusively own rights to, that identify a past consumer and prospect them on platforms. In a sense, the damage may already be done.


Does the iPhone X’s Face ID Put Your Privacy at Risk?

With current technology, we are left with almost nothing to wish for. A decade ago, the services available to us now would be unfathomable. Today, you can have groceries, a professional massage, or a latte delivered to your door in minutes just by using your smartphone.

Smart Phone Revolution

With the release of the iPhone X, facial recognition software has become a popular topic of discussion. On Apple’s website, the features are described as “some of the most sophisticated technology we’ve ever developed,” including “cameras and sensors that enable Face ID.” However, the continuous development of this type of technology, is accompanied by privacy concerns. Making us wonder if unlocking our phones so easily is really worth it.

Facial recognition in the Samsung Galaxy 8 can be easily manipulated with a photo of the phone’s owner.  Apple claims that such a breach of privacy is not possible with the iPhone X.

The iPhone X’s “True Depth Camera” works by analyzing 30,000 individual points on your face, creating both a facial map and an in-depth image of your face. Apple assures users that facial data for unlocking the iPhone X will only be stored in the phone itself. Yet, thousands of third-party app developers can access to some of this facial data. 

Sharing data with app developers is not alone enough to unlock a phone. Privacy activists though are wary of granting access to something as intimate as your face, to thousands of people.

Concerns about people unlocking your phone or being forced to unlock your phone under duress of law enforcement or an abusive partner are legitimate. There is always the possibility that another person could force you to reveal your four-digit passcode. New technologies  like Face ID and Touch ID  now just make it more feasible.

Case Law

Until there is more case law regarding Face ID, we won’t know its exact legal implications. However, a judging from a recent Minnesota case, technology such as Face ID and Touch ID cannot protect your phone from law enforcement. The case, State vs. Diamond, ruled that, when a court has issued a warrant allowing police to search a phone, a suspect can be compelled to unlock his phone with his fingerprint. Fingerprints, unlike passcodes, are not protected by the Fifth Amendment right against self-incrimination. 

The court reason that being compelled with a warrant to unlock a phone via Touch ID is similar to being compelled to give a blood sample, and does not require a person to reveal any knowledge that could be considered self-incriminating.

Facial recognition technology is not limited to the iPhone X. Experiments utilize it in order to attempt to reduce airport lines, prevent voter fraud, and provide better quality CCTV. As technology continues to develop, we need to weigh the costs of losing privacy against convenience and accessibility.



HIPAA: How I Possess Access Already

After a visit to the doctor, I was told I could not see my medical records because I had not yet paid for my appointment. I felt uneasy being denied access to information about my body and health, but I decided to brush it off and follow the orders of my doctor. Healthcare providers exist to make sure I live a longer and healthier life, so they should always work in my best interest, right? I was wrong. Back then, I was unaware of my rights under the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Not knowing what I was entitled to, I was taken advantage of.

What even is HIPAA? HIPAA was enacted to provide health insurance coverage for those who change or lose their jobs and to secure the privacy of health records. HIPAA’s passing was especially important because of the shift from paper to digital records of people’s medical history. Just from reading the tabloids, you can see how easy it is to hack into a personal smartphone or computer and steal people’s photos. Just imagine how urgent it was to implement a system to keep individuals’ digital medical records under lock and key. Not only would it be embarrassing to have your every conversation with the doctor floating around on the Internet, but also potentially dangerous.

While I knew that HIPAA was designed to protect some of the most intimate details of my life, it didn’t make sense that my doctor was protecting my records from me. So I dug a little deeper and learned that HIPAA requires health insurers and providers to comply with any citizen’s right to see their medical records and control who else has access to those records.

I also learned that once you submit a request for medical records, the hospital is required to respond within 30 days. This applies even when you have not yet paid your hospital bills. Healthcare providers are only allowed to charge a fee only for the labor for copying the medical record, the supplies for creating the paper or digital copy, and postage for mailing health records.

There exist only a few kinds of records providers can withhold, including psychotherapy notes and information that could reasonably endanger your or someone else’s safety. If your provider denies your request for access to certain records, you can always ask another provider to review your situation. He or she will determine if you can access your health information.

Through my research, I learned a lot about my rights to access my own medical records. The most frustrating of my findings is that not all individuals and organizations are considered to be “HIPAA-covered entities.” According to the Centers for Medicare & Medicaid Services website, HIPAA-covered entities can be categorized as health plans, clearinghouses, and healthcare providers.

Other institutions, such as elementary schools and the American Red Cross, are not required to comply with HIPAA. So make sure to check with your healthcare provider if they are a HIPAA-covered entity. That way you know you will always have access to your medical records. If you believe your HIPAA rights are not being protected, you can file a complaint with your provider or with the Department of Health and Human Services.