WEBVTT - What exactly is GDPR 0:00:04.120 --> 0:00:07.160 Get in touch with technology with tech Stuff from how 0:00:07.200 --> 0:00:14.000 stuff Works dot com either and welcome to tech Stuff. 0:00:14.040 --> 0:00:16.840 I'm your host, Jonathan Strickland. I'm an executive producer at 0:00:16.880 --> 0:00:20.119 how Stuff Works in I love all things tech, and 0:00:20.200 --> 0:00:26.239 today we're going to tackle a fairly topical subject, something 0:00:26.280 --> 0:00:29.360 that really came into play in the spring of and 0:00:29.440 --> 0:00:33.280 chances are you have received an email or two or 0:00:33.760 --> 0:00:37.880 two dozen or more from various companies about new policies 0:00:38.200 --> 0:00:41.400 that relate to g d p R. Often they will 0:00:41.440 --> 0:00:44.319 ask you for your permission to continue to communicate with you. 0:00:44.960 --> 0:00:47.519 So what's it all about? A Well, g d p 0:00:47.760 --> 0:00:51.800 R stands for General Data Protection Regulation and it's a 0:00:51.880 --> 0:00:55.000 data protection law, as the name suggests, and it's from 0:00:55.000 --> 0:00:58.840 the European Union or EU. But the Internet, as it 0:00:58.880 --> 0:01:01.600 turns out, is a mobile entity, so even if you 0:01:01.720 --> 0:01:04.800 do not live in the EU, you will likely be 0:01:04.880 --> 0:01:08.080 affected by this new law. In this episode, I'm going 0:01:08.120 --> 0:01:10.600 to go through the history of the law, what the 0:01:10.680 --> 0:01:13.640 law is actually all about, and how companies are doing 0:01:13.920 --> 0:01:17.119 as far as complying with that law. And here's a hint, 0:01:17.200 --> 0:01:20.080 there are some companies that are not even close to compliance. 0:01:20.160 --> 0:01:23.840 But we'll get to that First, let's look back to 0:01:24.120 --> 0:01:29.240 nineteen That's when the European Union adopted the Data Protection 0:01:29.360 --> 0:01:32.800 Directive or d p D. There was a different world 0:01:32.959 --> 0:01:38.440 back in the Worldwide Web was still a baby. Heck, 0:01:38.560 --> 0:01:42.680 I was still in college in n The heart of 0:01:42.720 --> 0:01:46.039 the Data Protection Directive was an effort to protect the 0:01:46.120 --> 0:01:50.600 privacy of citizens in the EU, and the EU as 0:01:50.640 --> 0:01:54.200 a whole has placed a high value on privacy, something 0:01:54.280 --> 0:01:59.400 that has been treated with uh, let's say, a more 0:01:59.560 --> 0:02:03.640 casual ual demeanor here in the United States, except in 0:02:03.680 --> 0:02:08.640 cases where something has gone terribly terribly wrong. The directive 0:02:08.840 --> 0:02:12.519 specifically covered how data can be processed and in what 0:02:12.680 --> 0:02:16.720 context it might be processed within the European Union. It 0:02:16.760 --> 0:02:21.600 didn't matter if the data was collected manually or automatically 0:02:21.720 --> 0:02:23.640 as and it didn't matter if there was a human 0:02:23.639 --> 0:02:26.679 in charge of it or if it was an algorithm. 0:02:26.720 --> 0:02:30.400 The rules were a broad overview, leaving up specifics to 0:02:30.639 --> 0:02:34.320 the member countries to actually adopt those those rules and 0:02:34.360 --> 0:02:37.360 incorporate them into their own laws. But some of the 0:02:37.400 --> 0:02:40.840 general tenants included that personal data could only be quote 0:02:41.160 --> 0:02:46.560 collected for specified explicit and legitimate purposes and not further 0:02:46.720 --> 0:02:51.799 process in a way incompatible with those purposes. End quote. Further, 0:02:52.120 --> 0:02:56.200 only the data needed for those purposes should be collected. 0:02:56.560 --> 0:02:59.040 There should not be a case of an entity collecting 0:02:59.120 --> 0:03:03.359 practically everything if that entity stated purpose is to run 0:03:03.400 --> 0:03:07.040 a process on just a narrow scope of all that data. 0:03:07.280 --> 0:03:11.080 This might remind you of the old days of Facebook apps, 0:03:11.120 --> 0:03:14.000 where you could uh or add ons. You know, there's 0:03:14.120 --> 0:03:17.079 little things that you could attach to your Facebook profile 0:03:17.360 --> 0:03:20.440 and they would ask you for permission to view certain 0:03:20.600 --> 0:03:23.440 parts of your information. Well, in the old wild West days, 0:03:23.480 --> 0:03:26.400 that could be anything, it could be absolutely everything, even 0:03:26.400 --> 0:03:29.200 though the app itself may only use a tiny bit 0:03:29.240 --> 0:03:32.520 of information at any given time, especially for whatever the 0:03:32.520 --> 0:03:36.000 app was supposed to do. Well. Eventually, Facebook cracked down 0:03:36.000 --> 0:03:39.200 on that and said, you know what, you should only 0:03:39.800 --> 0:03:43.280 ask permission to get access to the data you need 0:03:43.560 --> 0:03:47.120 to do whatever it is that you do, and otherwise 0:03:47.160 --> 0:03:49.640 you should leave everything else alone. That's kind of what 0:03:49.680 --> 0:03:53.840 was going on back in with this this directive. Further, 0:03:54.280 --> 0:03:57.120 the data was meant to be as accurate as possible, 0:03:57.320 --> 0:04:00.600 and if there were any indications that the information was 0:04:00.680 --> 0:04:03.480 inaccurate or it was out of date, it would be 0:04:03.640 --> 0:04:07.920 quote erased or rectified. End quote. And finally, the data 0:04:07.920 --> 0:04:09.760 would have to be kept in such a way that 0:04:09.800 --> 0:04:13.880 the identity of the individuals involved would only be knowable 0:04:14.120 --> 0:04:17.800 for as long as it was necessary to run the process. 0:04:17.920 --> 0:04:20.760 Once the entity has done whatever it needed to do 0:04:20.839 --> 0:04:23.640 with all that information, it was supposed to anonymize the 0:04:23.760 --> 0:04:26.000 data so that there would be no way of knowing 0:04:26.200 --> 0:04:29.120 who it pertained to. So once you had finished running 0:04:29.120 --> 0:04:31.880 whatever the process was, you had to make sure that 0:04:31.920 --> 0:04:35.200 the information would no longer be traced back to the 0:04:35.240 --> 0:04:38.800 people who gave you the information. In addition, the directive 0:04:38.800 --> 0:04:42.960 required entities to obtain user consent before collecting their information 0:04:42.960 --> 0:04:46.839 in the first place, and that consent had to be unambiguous. 0:04:47.200 --> 0:04:50.400 In addition, the data collector was under the obligation of 0:04:50.440 --> 0:04:54.359 providing the individuals with information about who was ultimately getting 0:04:54.440 --> 0:04:57.719 the data and to what purpose, as well as provide 0:04:57.760 --> 0:05:00.440 for an opportunity for the individual to review the data 0:05:00.480 --> 0:05:04.240 for any potential errors, so that way, you, as the 0:05:04.320 --> 0:05:06.680 person involved, could say, well, let me take a look 0:05:06.680 --> 0:05:08.640 at what you've gathered and make sure that you don't 0:05:08.640 --> 0:05:11.360 have any information that is inaccurate or out of date. 0:05:11.680 --> 0:05:14.160 Now already it might sound to you like this directive 0:05:14.440 --> 0:05:16.720 might have been a challenge to implement for a lot 0:05:16.760 --> 0:05:20.120 of reasons. In two thousand eleven, the European Data Protection 0:05:20.200 --> 0:05:24.880 Supervisor published an opinion titled quote a Comprehensive Approach on 0:05:24.960 --> 0:05:28.280 Personal Data Protection in EU end quote as sort of 0:05:28.320 --> 0:05:31.600 an update to this policy. By two thousand eleven, the 0:05:31.640 --> 0:05:34.320 Internet was much more mature than had been back in 0:05:35.040 --> 0:05:36.880 at least in the sense that there are a lot 0:05:36.920 --> 0:05:40.240 more people and businesses using it. There's still no shortage 0:05:40.279 --> 0:05:44.400 of immature content on the Internet anyway. By two thousand eleven, 0:05:44.520 --> 0:05:47.360 e commerce was a really big deal, and Internet access 0:05:47.400 --> 0:05:51.480 was increasingly being viewed as a right. But that also 0:05:51.560 --> 0:05:54.359 brought with it threats to privacy. Many of the Internet 0:05:54.360 --> 0:05:58.720 connected services we enjoy are constantly collecting data on us, 0:05:59.160 --> 0:06:02.480 either about no information about us in particular, or tracking 0:06:02.480 --> 0:06:06.279 our behaviors over time, and that data is kind of 0:06:06.320 --> 0:06:09.200 like currency. It's got value to it, So you and 0:06:09.279 --> 0:06:13.240 I might enjoy a service while simultaneously supplying information to 0:06:13.320 --> 0:06:16.919 the service provider, which in turn could potentially sell that 0:06:17.000 --> 0:06:21.560 information off to other buyers. This applies for everything from apps, 0:06:21.560 --> 0:06:26.120 to social media networks to smart devices. On January two 0:06:26.160 --> 0:06:30.560 thousand twelve, the European Commission proposed a reform of the 0:06:30.640 --> 0:06:34.119 data protection rules that came from in order to better 0:06:34.160 --> 0:06:38.560 represent the new digital landscape and protects in privacy while 0:06:38.560 --> 0:06:42.760 simultaneously supporting the digital economy, which is a really tough job. 0:06:42.800 --> 0:06:45.240 You've gotta balance a lot of stuff that way. So 0:06:45.920 --> 0:06:48.040 it was in fact so difficult it would take four 0:06:48.240 --> 0:06:52.400 years just to draft the new rules. In fourteen, the 0:06:52.440 --> 0:06:55.760 European Parliament voted on adopting a new set of rules, 0:06:56.000 --> 0:06:58.599 though those rules were not yet actually written. This was 0:06:58.640 --> 0:07:01.680 just the Parliament saying, yeah, I think it's time for 0:07:01.760 --> 0:07:06.559 us to actually have new rules. Regarding this, six votes 0:07:06.600 --> 0:07:10.200 were in favor of developing new rules, only ten votes 0:07:10.520 --> 0:07:14.120 were against it, and there were twenty two abstentions. The 0:07:14.200 --> 0:07:17.160 various governing bodies of the EU reached an agreement on 0:07:17.200 --> 0:07:20.240 the g d p R rules on December fifteen, two 0:07:20.240 --> 0:07:25.640 thousand fifteen. On April two thousand sixteen, the EU officially 0:07:25.680 --> 0:07:28.360 adopted the g d p R set of rules, but 0:07:28.400 --> 0:07:30.840 they would not be enacted for another two years. In 0:07:30.880 --> 0:07:35.040 other words, they said, hey, everybody, you have two years 0:07:35.080 --> 0:07:37.480 to get your act together. Here are the rules that 0:07:37.560 --> 0:07:40.480 you need to abide by go, You've got two years 0:07:40.520 --> 0:07:44.080 to get there. This decision also, by the way, repealed 0:07:44.280 --> 0:07:47.960 that previous nine directive. It said, it's not in addition 0:07:48.040 --> 0:07:51.320 to that directive. This replaces it entirely. As of the 0:07:51.360 --> 0:07:55.040 spring of the g d p R s provisions became 0:07:55.200 --> 0:07:59.480 directly applicable and all member states of the EU, and 0:07:59.600 --> 0:08:03.720 late in the spring, the EU published a corrigendum to 0:08:03.800 --> 0:08:06.720 the regulation. That means the EU published a list of 0:08:06.720 --> 0:08:10.240 corrections and clarifications relating to the law. And in the 0:08:10.280 --> 0:08:13.400 interest of full disclosure, I have to admit I needed 0:08:13.400 --> 0:08:16.120 to look up the word corrigendum because I don't think 0:08:16.160 --> 0:08:19.480 I've ever seen it before. One of the biggest differences 0:08:19.560 --> 0:08:21.880 between the g d p R and the earlier Data 0:08:21.920 --> 0:08:25.720 Protection Directive is in its binding nature. The dp D, 0:08:25.880 --> 0:08:27.920 as I said, was a set of policies that had 0:08:27.960 --> 0:08:31.000 to be transposed into the national law of each of 0:08:31.040 --> 0:08:35.200 the members of the EU, which created a somewhat fragmented 0:08:35.320 --> 0:08:38.680 and messy set of policies. The g d p R, however, 0:08:38.840 --> 0:08:42.600 is different. It has direct legal effect on all EU 0:08:42.800 --> 0:08:45.920 member states, with no need for the policies to be 0:08:45.960 --> 0:08:50.280 incorporated into those nations laws. So let's start talking about 0:08:50.280 --> 0:08:52.959 the specifics in the law. What does it cover and 0:08:53.000 --> 0:08:55.280 in what ways might a person's data still be used 0:08:55.320 --> 0:08:59.600 without their knowledge or consent. Much of the regulation affirmed 0:08:59.679 --> 0:09:02.600 the earlier Data Protection Directive, but here are some of 0:09:02.640 --> 0:09:04.800 the key points. And first I'm gonna look at the 0:09:04.880 --> 0:09:07.839 opening statements of the g d p R. The EU 0:09:07.920 --> 0:09:11.120 has identified the protection of persons in relation of the 0:09:11.120 --> 0:09:15.040 processing of personal data as a fundamental right, and that 0:09:15.120 --> 0:09:18.760 right includes the right of protection of personal data. At 0:09:18.760 --> 0:09:21.400 the same time, there's a need to allow for the 0:09:21.480 --> 0:09:25.120 free flow of data between member states of the European Union, 0:09:25.280 --> 0:09:29.920 so any regulations in place must not create obstacles between 0:09:29.960 --> 0:09:33.680 different member states. Citizens of the EU are allowed to 0:09:33.720 --> 0:09:37.240 move freely through the EU taking jobs in different member states, 0:09:37.240 --> 0:09:40.840 so their data should also be free to move through 0:09:40.880 --> 0:09:44.400 the EU with their consent. This next bit is pretty important, 0:09:44.400 --> 0:09:48.839 so I'm going to quote it directly. Quote the processing 0:09:49.000 --> 0:09:53.160 of personal data should be designed to serve mankind. The 0:09:53.320 --> 0:09:56.080 right to the protection of personal data is not an 0:09:56.120 --> 0:09:59.680 absolute right. It must be considered in relation to its 0:09:59.720 --> 0:10:04.240 fun in society and be balanced against other fundamental rights 0:10:04.360 --> 0:10:09.280 in accordance with the principle of proportionality. The regulation respects 0:10:09.320 --> 0:10:13.200 all fundamental rights and observes the freedoms and principles recognized 0:10:13.200 --> 0:10:16.559 in the Charter as enshrined in the Treaties, in particular 0:10:16.640 --> 0:10:20.520 the respect for private and family life, home and communications, 0:10:20.800 --> 0:10:25.240 the protection of personal data, freedom of thought, conscience and religion, 0:10:25.520 --> 0:10:29.400 freedom of expression and information, freedom to conduct a business, 0:10:29.720 --> 0:10:32.600 the right to an effective remedy and to a fair trial, 0:10:32.960 --> 0:10:37.000 and cultural, religious, and linguistic diversity. So, in other words, 0:10:37.040 --> 0:10:39.840 they were saying, yes, this is a fundamental right, but 0:10:39.920 --> 0:10:44.080 it does not take precedence over other fundamental rights. So 0:10:44.120 --> 0:10:46.960 there will come times when you have to take various 0:10:46.960 --> 0:10:50.439 things into consideration and you can't just say the privacy 0:10:50.840 --> 0:10:54.800 is the most important element in this particular scenario. You 0:10:54.840 --> 0:10:57.240 have to consider all the different parts and weigh them 0:10:57.280 --> 0:10:59.600 against each other. But what do we mean when we 0:10:59.679 --> 0:11:04.560 say processing data. Well, essentially, it means any sort of 0:11:04.600 --> 0:11:09.680 operation on information, whether performed automatically or manually. That includes 0:11:09.760 --> 0:11:15.120 collecting data, recording data, structuring it in different ways, organizing it, 0:11:15.520 --> 0:11:19.760 altering it or adapting it, consulting the data, using it 0:11:19.840 --> 0:11:23.439 in some way, transmitting the data, or even erasing the data. 0:11:23.520 --> 0:11:27.400 All of that is considered processing, so essentially, if you 0:11:27.520 --> 0:11:30.880 touch that data, you're processing it in some way. The 0:11:30.960 --> 0:11:34.440 document goes on to acknowledge that it is increasingly difficult 0:11:34.480 --> 0:11:38.679 and complicated to protect personal data in today's world. Globalization 0:11:38.720 --> 0:11:41.760 and the rapid exchange of information, coupled with platforms that 0:11:41.880 --> 0:11:46.600 encourage people to share their personal data, either explicitly or otherwise, 0:11:46.880 --> 0:11:50.000 have made it pretty hard to regulate. Gdp ARE also 0:11:50.040 --> 0:11:55.360 identifies two major categories of parties in addition to EU citizens. 0:11:55.840 --> 0:11:59.679 These are the data controllers and the data processors. The 0:11:59.760 --> 0:12:03.600 can trollers are the entities that determine why and how 0:12:03.800 --> 0:12:07.199 data will be used, and the processors are the entities 0:12:07.200 --> 0:12:10.480 that actually carry out those operations on behalf of a collector. 0:12:11.160 --> 0:12:15.280 One single company can be both a collector and a processor, 0:12:15.960 --> 0:12:19.160 or they could partner with other companies. All right, those 0:12:19.200 --> 0:12:21.600 are the basics. When we come back, I'll get into 0:12:21.640 --> 0:12:24.000 more specifics with the g d p R, but first 0:12:24.120 --> 0:12:34.400 let's take a quick break to thank our sponsor. One 0:12:34.440 --> 0:12:37.520 tricky thing in the policy is that it covers all 0:12:37.760 --> 0:12:42.640 entities that process data that belongs to EU citizens, even 0:12:42.679 --> 0:12:46.280 if those entities themselves are not in the EU. So, 0:12:46.440 --> 0:12:49.240 for example, let's say I have set up a new 0:12:49.360 --> 0:12:53.880 social networking platform and I'm calling it Strict Book. So 0:12:53.960 --> 0:12:56.480 I've got Strict Book, and I've built a data center 0:12:56.520 --> 0:12:59.520 in my garage here in the United States. But there 0:12:59.520 --> 0:13:02.800 are bowl in the European Union that have made accounts 0:13:02.840 --> 0:13:06.040 on my platform. And let's say that I make money 0:13:06.120 --> 0:13:09.599 by dealing in data to parties that want that information. 0:13:09.640 --> 0:13:12.800 So I gather information from my users and I sell 0:13:12.840 --> 0:13:16.120 it to various entities that want access to it. Maybe 0:13:16.120 --> 0:13:19.600 they want to market to my users directly some advertising 0:13:19.640 --> 0:13:22.280 to them. Well, I would be the subject to the 0:13:22.320 --> 0:13:25.760 regulations of g d p R because there would be 0:13:25.880 --> 0:13:29.200 EU citizens using my service even though my services located 0:13:29.240 --> 0:13:31.960 in the United States. So as long as those EU 0:13:32.040 --> 0:13:35.240 citizens were using my services while they were in the EU, 0:13:35.640 --> 0:13:38.520 I would have to play by this policy's rules. From 0:13:38.600 --> 0:13:42.720 the EU g DPR dot org site quote, the g 0:13:42.840 --> 0:13:45.480 d p R will also apply to the processing of 0:13:45.559 --> 0:13:48.560 personal data of data subjects in the EU by a 0:13:48.559 --> 0:13:53.000 controller or processor not established in the EU, where the 0:13:53.040 --> 0:13:57.079 activities relate to offering goods or services to EU citizens, 0:13:57.120 --> 0:14:01.160 irrespective of whether payment is required, and the monitoring of 0:14:01.280 --> 0:14:06.120 behavior that takes place within the EU. Non EU businesses 0:14:06.200 --> 0:14:09.240 processing the data of EU citizens will also have to 0:14:09.280 --> 0:14:13.760 appoint a representative in the EU. So essentially, what that's 0:14:13.760 --> 0:14:16.760 saying is, if you want to use the data that 0:14:16.840 --> 0:14:20.560 our citizens create, whether it's to market to them or 0:14:20.640 --> 0:14:23.400 you're tracking their information for some other purposes, you've got 0:14:23.400 --> 0:14:25.960 to play by our rules. Doesn't matter that you don't 0:14:26.080 --> 0:14:29.680 have your operations here in the European Union. The introduction 0:14:29.720 --> 0:14:33.600 also explains that the policy does not protect in all cases. 0:14:33.840 --> 0:14:37.160 For example, it says this regulation does not apply to 0:14:37.320 --> 0:14:40.400 issues of protection of fundamental rights and freedoms or the 0:14:40.440 --> 0:14:43.480 free flow of personal data related to activities which fall 0:14:43.560 --> 0:14:48.000 outside the scope of Union law, such as activities concerning 0:14:48.120 --> 0:14:51.800 national security. This regulation does not apply to the processing 0:14:51.800 --> 0:14:54.440 of personal data by the Member states when carrying out 0:14:54.480 --> 0:14:57.960 activities in relation to the Common Foreign and Security Policy 0:14:58.080 --> 0:15:01.800 of the Union. Likewise, in the case of law enforcement 0:15:01.800 --> 0:15:05.640 conducting an investigation, the policy does not protect personal data. 0:15:05.720 --> 0:15:09.360 The policy does, however, point towards other regulations in the 0:15:09.400 --> 0:15:13.440 EU that govern how law enforcement can access personal information, 0:15:13.520 --> 0:15:15.640 because it's not just willy nilly, they have to go 0:15:15.680 --> 0:15:19.960 through the proper procedures. However, they say there are obviously 0:15:20.040 --> 0:15:25.840 cases where persons private data may become an important element 0:15:26.040 --> 0:15:31.040 in some state level or law enforcement level UH process, 0:15:31.080 --> 0:15:34.840 and in those cases this does not protect him. You can't, 0:15:34.920 --> 0:15:37.720 as a citizen say no, police, you can't look at 0:15:37.720 --> 0:15:40.520 my personal data as part of this investigation, even though 0:15:40.560 --> 0:15:44.000 you lawfully obtained it by going through all the right processes. 0:15:44.720 --> 0:15:47.800 That would not be allowable under g d p R. 0:15:48.320 --> 0:15:50.640 Another limitation of the g d p R is that 0:15:50.760 --> 0:15:54.200 it applies only to information for a person who is 0:15:54.240 --> 0:16:00.960 identified or is identifiable by that information, which includes suit oonymization. 0:16:01.720 --> 0:16:05.880 What means the data is quasi anonymous, that if you 0:16:05.920 --> 0:16:08.520 were presented with the information, you might not be able 0:16:08.560 --> 0:16:12.720 to immediately identify who that information pertained to, but that 0:16:12.800 --> 0:16:16.840 with additional information you would be able to identify the person. 0:16:17.360 --> 0:16:20.000 So this is pretty important stuff, it turns out, because 0:16:20.560 --> 0:16:23.720 not that much information is actually needed to identify a person. 0:16:23.920 --> 0:16:26.520 For example, here in the United States, there was a 0:16:26.560 --> 0:16:30.240 Harvard professor named Latanya Sweeney who conducted the study a 0:16:30.240 --> 0:16:33.520 few years ago, and she discovered that all she needed 0:16:33.680 --> 0:16:37.000 was a zip code, a gender, and a birth date 0:16:37.320 --> 0:16:40.680 to identify up to eight seven percent of all people 0:16:40.720 --> 0:16:44.560 in the United states that's it. Three data points. Those 0:16:44.600 --> 0:16:46.880 three pieces of data was all it would be needed 0:16:46.920 --> 0:16:49.240 in order for you to say that those pieces of 0:16:49.280 --> 0:16:53.160 information specifically refer to this person, and it worked eighty 0:16:53.240 --> 0:16:55.720 seven percent of the time for all us adults. It 0:16:55.760 --> 0:17:00.000 doesn't take much to single someone out. That is why 0:17:00.040 --> 0:17:04.760 the pseudo not nymization term is used. It's pseudo anonymous. 0:17:05.400 --> 0:17:08.080 The policy goes a little bit further with this, stating 0:17:08.119 --> 0:17:10.760 that if it were to take an unreasonable amount of 0:17:10.760 --> 0:17:13.800 effort or money to ascertain the identity of a person 0:17:13.880 --> 0:17:18.040 based on this limited information, it's probably okay because it's 0:17:18.119 --> 0:17:21.879 unlikely anyone would actually go to those lengths. But the 0:17:22.000 --> 0:17:24.720 easier it is to identify a person based on the data, 0:17:25.000 --> 0:17:27.080 the more it falls under the protection of g d 0:17:27.200 --> 0:17:30.120 p R. But then, what about anonymous data? What about 0:17:30.200 --> 0:17:33.200 data that really seems to have no connection with any 0:17:33.240 --> 0:17:36.840 particular individual. The g d p R does not protect 0:17:37.040 --> 0:17:40.679 truly anonymous data. If there's no way to identify a 0:17:40.760 --> 0:17:44.320 single person out of a collection of anonymized data for 0:17:44.440 --> 0:17:48.199 statistical or research purposes, that's fine. So if you were 0:17:48.240 --> 0:17:51.639 doing an academic study that took demographics into account and 0:17:51.680 --> 0:17:54.480 the population size, you were looking at were sufficiently large 0:17:54.560 --> 0:17:57.879 enough to ensure no respondent could be identified from the information, 0:17:58.240 --> 0:18:00.240 you'd be all set. Not if you're worth king with 0:18:00.240 --> 0:18:03.480 a really small population size, anyone who is an outlier 0:18:03.600 --> 0:18:06.680 would be easily identifiable, and that would therefore fall under 0:18:06.720 --> 0:18:09.640 g d p R because it's not truly anonymous data. 0:18:09.800 --> 0:18:12.600 But if you're working with really big data sets, then 0:18:13.080 --> 0:18:16.240 outliers you will have enough of them to kind of 0:18:16.359 --> 0:18:20.240 make sure that anonymity is preserved, So again it's all spectrum. 0:18:20.720 --> 0:18:23.399 The g DPR also does not apply if you happen 0:18:23.480 --> 0:18:26.280 to be dead, but then at that point you're probably 0:18:26.320 --> 0:18:29.439 past caring about your personal data. Also, it's hard to 0:18:29.480 --> 0:18:32.399 have personal data if you, you know, if you're no 0:18:32.440 --> 0:18:36.479 longer a person. The g DPR also says that any 0:18:36.480 --> 0:18:39.960 party that intends to collect and process data must be 0:18:40.080 --> 0:18:43.159 transparent in its policies. So those policies have to be 0:18:43.240 --> 0:18:45.359 easy to find, and they have to be written in 0:18:45.400 --> 0:18:48.240 such a way as to be easily understood. You aren't 0:18:48.280 --> 0:18:52.879 supposed to obfuscate your intentions with unnecessarily complicated jargon or 0:18:52.960 --> 0:18:56.520 legal lease. This includes not just how data is collected, 0:18:56.800 --> 0:18:59.600 but to what purpose that data will be put so, 0:18:59.640 --> 0:19:01.880 if a cop he wants to collect information in order 0:19:01.920 --> 0:19:03.960 to sell it to other parties, it would have to 0:19:04.040 --> 0:19:06.879 disclose that in this policy and do so in a 0:19:06.920 --> 0:19:11.919 way that was pretty transparent, easy to understand, and the 0:19:11.960 --> 0:19:13.919 g d p R does not mess around. When it 0:19:13.920 --> 0:19:16.919 comes to the concept of a user consenting to have 0:19:17.119 --> 0:19:21.920 his or her data collected or processed, I quote, consent 0:19:22.160 --> 0:19:26.000 should be given by a clear affirmative act establishing a 0:19:26.119 --> 0:19:31.640 freely given, specific, informed, and unambiguous indication of the data 0:19:31.720 --> 0:19:35.240 subjects agreement to the processing of personal data relating to 0:19:35.320 --> 0:19:38.720 him or her, such as by a written statement, including 0:19:38.760 --> 0:19:42.560 by electronic means, or an oral statement. This could include 0:19:42.600 --> 0:19:46.440 tacking a box when visiting an Internet website, choosing technical 0:19:46.480 --> 0:19:50.720 settings for information society services, or another statement or conduct 0:19:50.760 --> 0:19:55.160 which clearly indicates in this context the data subjects acceptance 0:19:55.240 --> 0:19:59.720 of the proposed processing of his or her personal data. Silence, 0:20:00.240 --> 0:20:05.920 pre ticked boxes, or inactivity should not therefore constitute consent. 0:20:06.600 --> 0:20:09.840 Consent should cover all processing activities carried out for the 0:20:09.920 --> 0:20:14.200 same purpose or purposes. When the processing has multiple purposes, 0:20:14.440 --> 0:20:17.639 consent should be given for all of them. If the 0:20:17.720 --> 0:20:20.600 data subjects consent is to be given following a request 0:20:20.600 --> 0:20:24.600 by electronic means. The request must be clear, concise, and 0:20:24.720 --> 0:20:28.199 not unnecessarily disruptive to the use of the service for 0:20:28.280 --> 0:20:31.560 which it is provided. So yeah, it's a big deal, 0:20:31.920 --> 0:20:34.919 and companies are supposed to be real clear about this 0:20:35.000 --> 0:20:38.960 whenever they present a user with the option to opt 0:20:39.040 --> 0:20:43.240 into this kind of data collection and processing. Moreover, consent 0:20:43.280 --> 0:20:46.239 should be just as easy to withdraw as it is 0:20:46.280 --> 0:20:50.080 to grant, so if a user decides after giving consent 0:20:50.200 --> 0:20:53.520 to revoke that consent, it has to be possible to 0:20:53.560 --> 0:20:56.439 do so, and the entity collecting or processing the data 0:20:56.480 --> 0:21:00.639 has to knock it off. Citizens are will allowed to 0:21:00.760 --> 0:21:03.960 ask for all their data from a controller, and then 0:21:04.000 --> 0:21:07.600 those citizens can even send that data to another controller. So, 0:21:07.640 --> 0:21:10.160 in other words, potentially the g d p R could 0:21:10.160 --> 0:21:13.840 allow citizens to act as their own data brokers. Granted, 0:21:14.080 --> 0:21:17.320 personal data on an individual level is not worth all 0:21:17.400 --> 0:21:20.920 that much. It's mostly valued when it's in bulk, when 0:21:20.920 --> 0:21:25.200 you have thousands of people's data. Selling one person's data 0:21:25.400 --> 0:21:28.040 not that big a deal unless you're talking about things like, 0:21:28.960 --> 0:21:31.120 you know, credit card numbers and stuff like that. Even 0:21:31.160 --> 0:21:34.159 then it's not that expensive, So you might wonder how 0:21:34.240 --> 0:21:36.920 much is all your data worth? Well, that depends on 0:21:36.960 --> 0:21:39.719 the nature of the information and how much of it 0:21:39.760 --> 0:21:43.119 you're providing and who you are really. But there's a 0:21:43.119 --> 0:21:46.560 great post on medium titled quote how much is your 0:21:46.640 --> 0:21:50.280 data worth? And that uses some basic industry analysis to 0:21:50.320 --> 0:21:54.000 conclude that, on average, a person's data is worth about 0:21:54.040 --> 0:21:57.600 two forty dollars per year. But this calculation was done 0:21:57.600 --> 0:21:59.919 with a lot of assumptions, and that is something the 0:22:00.000 --> 0:22:03.439 author of the piece readily admits to. It's a tricky question, 0:22:03.560 --> 0:22:06.720 but still it could now be a question answered by 0:22:06.760 --> 0:22:11.040 individual citizens rather than data brokers. Related to this is 0:22:11.080 --> 0:22:14.720 the concept of data erasure, or better known as the 0:22:14.840 --> 0:22:17.560 right to be forgotten. A lot was written about this 0:22:17.600 --> 0:22:20.640 a couple of years ago when the EU first agreed 0:22:20.840 --> 0:22:23.919 to these rules, and I'll probably chat a little bit 0:22:23.920 --> 0:22:26.919 more about that later, but it is pretty tricky generally speaking. 0:22:26.960 --> 0:22:29.280 This policy says the data subject has the right to 0:22:29.320 --> 0:22:32.080 tell a data collection entity to cut it out, to 0:22:32.200 --> 0:22:35.879 delete all the collected data about that person, and potentially 0:22:36.080 --> 0:22:39.600 have third parties that partnered with that data collection entity 0:22:39.960 --> 0:22:44.359 to stop any data processing of the information. However, this 0:22:44.400 --> 0:22:46.879 has to be done with a consideration toward quote the 0:22:46.960 --> 0:22:50.280 public interest in the availability of the data end quote. 0:22:51.040 --> 0:22:53.320 So in other words, let's say you go and do 0:22:53.400 --> 0:22:58.360 something really really dumb, like colossally stupid, and news outlets 0:22:58.400 --> 0:23:01.360 pick it up and they cover your lostly stupid mistake, 0:23:02.119 --> 0:23:05.080 and now your name is associated with this terrible mistake 0:23:05.160 --> 0:23:07.679 you made, and you know you made it honestly, you 0:23:07.720 --> 0:23:10.639 didn't set out to make it. It just happened. But 0:23:10.720 --> 0:23:14.040 now it's attached to your name. Well, you wouldn't be 0:23:14.080 --> 0:23:16.800 able to just sweep that under the rug by asking 0:23:16.840 --> 0:23:20.680 all search engines to delete information about you, thus reducing 0:23:20.680 --> 0:23:23.280 the chance anyone would ever see that information about your 0:23:23.359 --> 0:23:27.040 dumb mistake, because it goes against the public interest of 0:23:27.080 --> 0:23:29.639 the availability of that data. This is one of the 0:23:29.720 --> 0:23:31.840 points that I was talking about just a second ago 0:23:32.040 --> 0:23:35.080 that a lot of news outlets were really focusing on. 0:23:35.160 --> 0:23:39.840 Because imagine you are, let's say, a political hopeful, and 0:23:39.960 --> 0:23:43.520 you decide you want to wipe out any references to 0:23:43.560 --> 0:23:46.520 your past that are online as best you can, and 0:23:46.560 --> 0:23:49.399 so you contact all of these different search engines to 0:23:49.680 --> 0:23:53.520 have all the information be quote unquote forgotten because you 0:23:53.600 --> 0:23:56.720 don't want people to dig up something you did, you know, 0:23:56.800 --> 0:23:59.560