Europeans are about to get a lot more control over their social media data. A major change to EU data protection law will require Facebook and others to significantly change how people access and using personal information. In the midst of a data gold rush, that's a big deal.
For Helen Dixon, Ireland's data protection commissioner, it's all about giving the power back to the people. "I think there is that thorny issue of how much anyone understands when they sign-up and purport to give their consent to a very long list of terms and conditions" Dixon says of the countless free-to-use services the make money from our data. As the European base for many technology giants, her view holds major sway.
Read more: Wetherspoons just deleted its entire customer email database – on purpose
The changes will be required under the EU's General Data Protection Regulation (GDPR), which comes into force in May 2018. The regulation sets out a series of "harmonised" data protection principles, that will be implemented into local laws for the 28 member states. The focus of the GDPR is to give greater protections to individuals as well as tougher rules on those who handle data.
"One of the things we have high hopes for significant change under the GDPR is how transparency is really delivered to users, particularly by these internet companies," Dixon tells WIRED. "We know from our engagement with them that a lot of them are looking very proactively at how they are going to do the transparency under the GDPR."
This is likely to entail how people can access and view the information that is gathered about them by some of the internet's biggest firms. "They're working with designers to look at how they can quickly engage a user quickly but also deliver them with what they need to ensure when they sign-up they're fully informed," Dixon says.
In recent years, her office has been heavily involved in some of Europe's biggest data protection cases, including the Safe Harbour case, where Europe's top court ruled a 15-year agreement for companies to transfer information to the US was unlawful. Technology companies including Facebook, Google, Apple, Twitter and Amazon have European headquarters in Ireland. That means almost all data privacy complaints against them cross Dixon's desk before being passed to higher courts in Europe.
In the future, Articles 13 and 14 of the GDPR outline changes for giving people information that's held about them. Article 13 covers where information about a person is collected after they provide it: the regulation says this should be handed-over when asked for and include how it is being used.
Article 14 covers where information about a person has been collected but not explicitly provided by them – this could include combining data from third-party sources. When requested, organisations will have to say what they hold, how it is being used, the types of personal data and how long it is being kept for.
Under current data protection rules to access information held about you, there is a fee. The £10 charge in the UK will be scrapped under the new regulation. Dixon says the new access requirements for individuals will force major technology companies to provide "concise and intelligible information" to their users. The change, she says, is "more prescriptive".
Read more: The Snooper's Charter is being taken to court to stop mass surveillance powers
Facebook currently has an automated tool that allows users to download information about them. This can be found through the Settings page. Included in the download is an activity log, posts, photos, shares, connections to other people, political views and more. Google's download data page includes information on the usage of Chrome, Calendar, contacts, Gmail, Hangouts, Maps, Photos and more.
When asked about new tools being implemented to its service for the start of GDPR, Google said it had nothing to announce at this stage but pointed WIRED in the direction of its blogpost on the issue. The post says Google is working on "operational changes" to comply with the new regulation. WIRED contacted Facebook but had not received a response at the time of publication.
The transparency changes don't just affect multi-national corporations. The laws also impact public bodies and companies of all sizes. Under the GDPR, Dixon expects more companies in Europe to develop automated download services like those implemented by Facebook and Google.
"We can anticipate that all sorts of organisations – hospitals, schools – will be subject to more access requests when there is no impediment to making it. A lot of them will have to design these types of tools that can extract out the personal data of individuals and deliver it to them online."
This article was originally published by WIRED UK
