What's the value of privacy?

Often the user is required to give away personal information before accessing a website or a service. With the development of technologies, service providers are capable of collecting big data which can be used later for predictive and behavioural analytics. The first step in this data value chain is the collection of raw data. Once the data has been consolidated from different sources, restructured and analysed, the exposed information becomes extremely useful for the digital profiling of individuals. The further use of this digital profile for marketing purposes is extremely lucrative. Thus the value of the raw data multiplies through the process.

But how can we trust service providers with our digital lives? Besides the collection of digitalised data, hacking into operators’ systems has also developed into an illegal, albeit very profitable business.

In 2016, the application-based low-cost taxi company Uber chose to conceal a data breach which affected 57 million users worldwide. Hackers demanded a ransom of a $100.000 to delete the stolen data and the direction of the company judged it better not to disclose the incident to the public. The biggest breach of 2016 was the Adult Friend Finder case ­- where confidential and very sensitive records of more than 300 million users were disclosed. Equifax, a consumer credit reporting agency, announced a cybersecurity breach in September 2017, four months after the incident took place. Approximately 145.5 million consumers’ personal information was disclosed - including their social security numbers. In the most recent case, we learnt that Facebook had already been warned in 2011 about the possible weaknesses of its privacy security, but no further steps were taken. Since then, Mark Zuckerberg admitted the mistake of Facebook.

Companies often prefer paying ransoms and keeping quiet about the data protection breaches that can affect the lives of millions. In today’s digitalised world, businesses are facing not only the traditional threats of competition or bad management, but also the threat of a cyberattack. Companies can go bankrupt in seconds if they do not rebuild consumers’ trust quickly enough after a breach.

However, the future is not so gloomy. Europe has arrived to a turning point in personal data regulation. The General Data Protection Regulation (GDPR) will replace the old Data Protection Directive. The old directive came into effect in 1995 following the nonbinding OECD guidelines. The implementation of the directive’s guidelines varied widely in the member states. After more than 20 years, the renewal is long overdue. The GDPR, adopted in April 2016, will take effect in May 2018, and has many differences from the old directive. It will not only greatly affect European citizens’ rights but also many of the largest companies all over the world.

In contrast to the Data Protection Directive, the GDPR will standardise EU law and apply to all 28 member states. This will create an integrated digital economy across the European Union. Therefore, a unified understanding of what consists as personal data will be applied. According to the current EU definition, personal data is „any information relating to identified or identifiable person”. Political views, religious beliefs, health information and sexual life are referred to as sensitive personal data.

The design of the GDPR will prioritise European citizens’ rights; the processing of the data collected will be in the hands of the individual. When Google lost the case against the Spanish Data Protection Agency in 2014, a new precedent was set regarding the question of what constitutes personal data and of what a citizen’s rights are when it comes to the use of that data collected by a provider. The collection of a person’s browsing history data on the internet and the subsequent digital profiling are not new, yet the old directive was not powerful enough to regulate this. The verdict of the European Court of Justice upheld the notion of the right to be forgotten. A citizen’s right to be forgotten provides grounds for the removal of personal information on request but according to certain critiques, the decision hinders the freedom of expression.

GDPR will affect companies in new ways. The mandatory notification of any security breaches will be applied to companies that operate using EU citizens’ data. This means that if the data collector outsources data to a third party and there is a misuse, both companies will be liable, even if the third party is registered outside the EU. It also means that the GDPR will have implications for companies all over the world. Starting in May, operators will be legally required to follow the path of the data from collection to analysis. In case of a data protection breach that goes unreported for more than 72 hours, the operator will pay the price of non-compliance - a fine of up to 20 million Euros. Paying ransoms to hackers to conceal a breach and to preserve the company’s good image may just cost too much in the future. The new regulation will also have an impact on e-commerce. The new single digital market is supposed to build consumer trust and thereby spurring economic growth.

There is no question that while we are benefiting from seemingly free information, we are also giving away information about ourselves for free simultaneously. Our privacy has been privatized. Also unquestionably, we are looking ahead to more serious breaches in the future. The question stays the same: are states adaptable enough to keep up with the pace of hackers?

Opening pic source: Shutterstock