Is Privacy Possible in 2020?

The accelerated growth of social media during the past two decades has opened new horizons for businesses and individuals, including for example new opportunities for sales, marketing, advertising and communication with peers. However, it has also increased the privacy and data protection concerns for internet and social media users, as a great deal of internet services rely on data that are provided by them. In most cases such data are provided voluntarily by end-users, who are usually willing to provide their personal data in exchange of services that provide them with convenience and enable them to save precious time. Nevertheless, the collection of vast amounts of personal data from giant internet companies can have dramatic implications on individuals’ privacy. As a prominent example, during the notorious Cambridge Analytica case, the company harvested the personal data of millions of Facebook profiles without the consent of their owners. This was a large-scale data privacy violation case, which was added to a large number of similar incidents during the past decade.

In response to these incidents, policy makers have been considering changes to legal frameworks for privacy and data protection. They have scrutinized the operation and business processes of internet services providers as a means of devising laws and regulations that create an ethical environment for the deployment, operation and use of on-line services.  The most prominent outcomes of such regulatory initiatives are the General Data Privacy Regulation (GDPR) of the European Union (EU) and the California Consumer Privacy Act (CCPA).

Europe’s General Data Privacy Regulation (GDPR)

GDPR is EU’s regulation on data protection and privacy, which is applicable for all individual citizens of the European Union and the European Economic Area (EEA). It was put into force in May 2018 to safeguard citizens’ privacy by obliging enterprises that process personal data to abide by the following principles:

• Transparency, fairness, and lawfulness in the handling and use of personal data. Individuals need to understand fully how their data are processed. Furthermore, data processors must have a “lawful basis” for processing that data.
• Limiting the processing of personal data to specified, explicit, and legitimate purposes. Enterprises and other entities that process personal data are not allowed to use or disclose personal data for purposes other or incompatible with the purpose for which the data were collected at the first place.
• Minimalism regarding the collection and storage of personal data. Only data that are adequate and relevant for the purpose at hand can be collected and stored.
• Accuracy of personal data and provision of options for erasing or rectifying it. Enterprises holding personal data must ensure that these data are accurate. Furthermore, they should provide the means for correcting errors associated with these data.
• Limited personal data storage. Specifically, personal data must be retained only for the period necessary for achieving the purpose for which the data was originally collected.
• Safeguarding the security, integrity, and confidentiality of personal data. GDPR mandates that organizations undertake actions that keep personal data secure, including relevant technical and organizational security measures (e.g., data anonymization and encrypted data storage).

GDPR foresees huge fines for cases of non-compliance, which has led most organizations to establish privacy frameworks and technological solutions for the protection of personal data. Hence, it has been a game changer for European enterprises. Moreover, it has already a significant impact outside the EU as all global enterprises that operate in Europe adhere to GDPR principles. Furthermore, several countries outside the EEA have considered GDPR as a basis for developing their own privacy regulations.

Emergence of California Consumer Privacy Act (CCPA)

At the dawn of 2020, a comprehensive privacy law has come into force in the United States of America as well, yet it concerns Californians i.e. approx. 40 million Americans that live in California. The law is termed California Consumer Privacy Act (CCPA) and concerned with the protection of personal data, including relevant rights and obligations of citizens and businesses. CCPA provides a quite broad definition of personal data as anything that could be linked with a particular consumer. Under this definition both legacy data (e.g., names, postal addresses, social security numbers, IP addresses) and data associated with emerging technologies (e.g., biometric or genomics data) are classified as personal data. Nevertheless, publicly available information provided or published by federal, state, or local governments are not CCPA-protected. This eases the operations of data brokers that collect, aggregate and sell information like property records, court filings, voter registrations, birth and marriage records and more. Furthermore, it does not inhibit Artificial Intelligence (AI) innovation, as anonymized user information is not considered and protected by CCPA as well.

Read Also: Enabling AI on Personal Data with Privacy Preserving Analytics

Similar to GDPR, CCPA establishes a number of principles that define what businesses and citizens can do when processing personal data or when having their data processed. Some of these rights and principles include:

• Transparency about the collected information. The CCPA provides Californians with the right to know the categories of information collected by an enterprise that maintains personal data for them. Furthermore, they can access the specific information that an enterprise keeps about them.
• Suing companies for data breaches. CCPA specifies how and when could citizens sue companies for data breaches. This is expected to benefit citizens, as it will lead companies to improve the ways they handle data.
• Instructing companies not to sell personal data. Citizens are provided with the right to order enterprises not to sell their personal data to other companies.
• Right to be forgotten. It is also possible for citizens to ask to have their data erased from a company’s records i.e. exercising the “right to be forgotten”, which is a popular principle of the GDPR as well.
• Opting out from data collection. Citizens may instruct companies to stop collecting data about them. Such opt out decisions can be taken by citizens after they understand which data are collected about them and for what purpose. Note however that this right is different from the opt-in case in Europe, where citizens must give explicit consent for any data collection to take place.

Overall, the CCPA will strengthen the data protection rights of the citizens, through obliging companies to do more on privacy and data protection than they currently do. Moreover, it’s likely to benefit citizens outside California, much in the same way GDPR affected citizens and businesses outside the EEA. For example, several companies are likely to apply CCPA rights and principles to their entire customer databases, as it is difficult for them to properly segment the databases in order to identify Californians.

GDPR and CCPA are certainly positive steps towards safeguarding citizens privacy. They make companies more responsible and more concerned about providing an ethical environment for their employees and customers. Moreover, they empower citizens to take control over their personal data. However, much as privacy is about regulation it is also about users’ participation in the various on-line services. In the coming decades many citizens will opt to provide their personal data to on-line services providers in exchange of speed and convenience in accomplishing their everyday tasks. This makes on-line privacy more challenging than ever before and will fuel a debate on whether citizens understand and care about their data when using popular on-line services.

Is privacy possible in 2020? This still remains to be seen.