In the last two weeks your inbox will probably have been bombarded with emails asking you to agree to new privacy rules about your personal data. It may be the first time you’ve seen the acronym GDPR – which stands for General Data Protection Regulation – but it won’t be the last. This new set of regulations from the European Union about how businesses handle our personal data is a profound and significant step in allowing people to regain control of their data and privacy.
In the face of an unprecedented invasion of our personal privacy – which was highlighted by the Cambridge Analytica harvesting of 87m Facebook users data to manipulate the 2016 US president elections and the Brexit vote – the EU has emerged as an unlikely hero.
The European Union functionaries in Brussels have often been accused of being small-minded bureaucrats for a range of seemingly pointless legislation, including the curvature of a banana. The EU itself claims this “bendy bananas” so-called Euromyth was “the myth to end all myths” and that “straight and bendy [bananas] are not banned by the EU” but, to maintain quality, they must be “free from malformation or abnormal curvature”.
GDPR gives the lie to the Brexit arguments about leaving the EU due to such “meddling”. This legislation alone is worth it – notwithstanding the UK’s access to the world’s largest trading block.
These new privacy regulations came into effect last Friday, 25 May, and are being taken so seriously by all those frantically emailing companies because the consequences are so severe for failing to uphold them.
This is a profoundly good thing. With net neutrality potentially being compromised in the United States – despite a symbolic victory last week that attempts to keep the legislation that ensures all traffic is transmitted with equal importance by US internet service providers – the world needs GDPR to protect our online privacy.
The EU can fine offending companies as much 4% of annual global revenue, a hefty sum for serial privacy-offending Facebook that might be as high as $1.6bn. Facebook has already moved 1.5bn of its users back to California from international headquarters in Ireland to avoid any potential conflict.
So what exactly is GDPR?
It “regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU,” meaning a foreign company handling an EU citizen’s data might be sanctioned by it. No wonder we’ve all been getting so many emails to “review your privacy settings”.
Individuals must be notified when the data is collected; who the company or organisation collecting it is; what purpose they will use it for; “the categories of personal data concerned; the legal justification for processing their data; for how long the data will be kept; who else might receive it; [and] whether their personal data will be transferred to a recipient outside the EU”.
People also “have a right to a copy of the data and other basic rights in the field of data protection”.
Although we will get some measure of protection from GDPR, South Africa’s own Protection of Personal Information Act (POPIA) legislation is still being enacted. If only we had such punitive costs for exploiting our data, then our country would be a safe (cyber) place.
This column first appeared in Financial Mail