In my last post and in episode 017 of YATP I discussed some of the interpretations regarding the abilities and monopolies that the EU is granting themselves and member states through the enforcement of the GDPR described back in 2016. Today I’ll continue with some of the finer details as to what defines consent, how information regarding to data collection requests are presented, and, most importantly, what liberties are granted to the creators and collectors of personally identifiable information.
If you’re not familiar with the GDPR, a brief and apt description would be that the GDPR is a regulation set forth with the intent to protect the information of individual EU netizens from the prying eyes of data collection enthusiasts, to inform the creators of personal data, the types of data being collected, and to give them the right to request their personal data as well as have it removed from a given database (the lattermost known otherwise as the right to erasure).
As per the last post, I’ll be using a post from @h4ck3r9 as the kick-off point, wherein they’ve gone through the presentation of some subsequent articles that are present in the GDPR. Any proceeding blockquotes are directly from @h4ck3r9’s original post. Let’s dive in!
Consent requests also cannot be hidden in other documents.
Of course this part of the GDPR is a doozy. Remember those warnings given to Hollywood stars in their respective movies/TV shows to ‘read the fine print’ and the subsequent gotchas that took place because they forgot to do so? Well, this is no longer going to be the case with the enforcement of the GDPR. In order to get consent from a given creator of personal data, a separate document must be created. A separate request must be made in order to qualify wholly as consent. Agreeing to the Terms of Service, wherein Google, Amazon, Apple, or Facebook (GAAF) have expertly hidden their data collection policies, is no longer enough.
What’s more is that some of these articles also include description of consent over communication preferences. The GDPR seems to take communication options very seriously in that communication consent must also be explicitly requested with plain text using clear and concise language.
Something I’ve been wondering is how mobile apps will integrate this into their systems. Will Apple force GDPR compliance upon their developers and require them to display a consent requests upon first runs of their apps? Will they go the route that Google has gone with device permissions in that either permissions are acquired on a per-use basis or display a request for data collection consent upon installation? Either way, I don’t see mobile developers getting away from this sort of regulation either.
Another section describes that children aged 16 and under cannot give consent on their behalf. If a child is aged between 13 and 16, a guardian can give consent on their behalf.
The data collectors must also be able to prove that they acquired consent from the guardian of the child as well.
This is usually done by requiring that the email used to sign into the service and the email given as the consentor’s contact information be different. The child puts their parent or guardian’s email in the ‘consentor’s email’ field and the parent/guardian gets the email, almost like an activation link that companies use already to confirm the legitimacy of emails given when signing up for a new service.
However, if the child is below 13 years of age, no consent can be given and the potential collector must hide their tail between their legs, walking away in defeat (aka not bother them anymore about consent).
[Article 12] also sets up the foundation for the subject’s right to request removal of their data from a data collector’s possession.
As discussed in further articles of the GDPR, data subjects will have several rights relating to their personal data. These are rights of access, removal, and rectification.
In this context, access means that a given service user is allowed to peruse the treasure trove of data that this service provider has collected throughout the time that proceeds the user having given consent. You should be allowed to see every morsel of data this provider has on you as well as the connections the service provider made using this data to other individuals directly connected to you.
Removal has to do with the right to be forgotten. Did you steal candy canes 20 years ago and the story is still up for perusal on the internet? The GDPR says that this should be allowed to be erased upon the data subject’s request. Obviously there’s other cases than what I’ve presented here, but this is just for the sake of providing an example.
Rectification has to do with the correction of information in the interest of accuracy of a public record. Though, the article does not limit its (as well as the right to erasure’s) reach to public record and includes private databases in which information pertinent to the user is present.
Unfortunately, this perfect organization of information within a database makes it ever so easy to simply erase record of activities of an individual and makes me a little suspicious of Orwellian activity. We’ll see what happens in the future of course.
Where the icons are presented electronically they shall be machine-readable.
I found this one of the more interesting articles present in the GDPR. The Creative Commons organization has a few buttons to signify what portions of the CC license applies to a specific work that’s presented along with the icon. These buttons clearly state the types of permissions afforded to the consumer of such works. I can see some companies implementing a similar iconification scheme where different icons signify the different types of information collected and what is being done with them. It’s certainly up to the adherers of the GDPR to commit something into their projects.
It seems the GDPR isn’t as heinous as one might think it is, but it certainly has the potential to be. It’s not as dry as some previous legalese that I’ve read and I think that’s by design. The philosophy behind it shows in the formatting of the regulation and it will be an interesting turn out, revisiting this one year from now.
Certainly I didn’t cover every morsel of @h4cker9’s post so you should go read it regardless of the interpretation I’ve presented here. If you enjoyed this work, consider sharing it on your social media. If you have any questions or comments, feel free to contact me at any of the social media links below:
My blog is hosted on Digital Ocean. If you want to sign up for Digital Ocean’s VPS services I’d like to ask you to graciously use this referral link: https://m.do.co/c/fa082b6466bf . You’ll get $10 in free credit and once you’ve spent $25 of your own money, I’ll receive $25 myself, meaning that you’ll be indirectly supporting my blog.