Many people around the world know that data theft is a big deal, what with the Equifax Data Hack of 2017 and, more recently, the Cambridge Analytica unauthorized third-party data sharing (read: theft) over at Facebook.
But did you know that legislation passed in Europe just shy of a year ago put the power to regulate U.S. data security into the hands of a foreign power?
On May 25, 2018, the European Union (EU) adopted a new regulatory framework known as the General Data Protection Regulation (GDPR). A companion Law Enforcement Directive establishes data protection standards in the area of criminal offenses and penalties.
The GDPR and the law enforcement Directive were designed to do four things, all aimed at giving individuals more control over how their data is used and assigning more responsibility to businesses who use it:
- Provide for significant reforms to current data protection rules.
- Provide for higher standards of data protection for individuals
- Impose increased obligations on organizations that process personal data.
- Increase the range of possible sanctions for infringements of these rules.
The GDPR (General Data Protection Regulation) encompasses data protection and privacy for all individuals within the European Union – but it also treats the export of personal data outside the EU, and that includes the U.S.
Many EU businesses set-to and created new data protection policies and procedures, set up brand new departments, trained staff members, and brought their data protection handling practices into compliance with the new governmental standard.
The EU mandate instructed data-handling businesses to assess what data they keep (rather than delete), where that data came from, and the need to preserve it.
The new EU data privacy legislation definitely favored consumers. Organizations were required to inform their customers, in plain English, how they intended to use and protect the user data collected. Consumers now had the right to access their own collected data, request that it be deleted when no longer useful, object to intrusive direct marketing advertisers, and question a computer-generated decision (about opening a loan account, for example) and request assistance from a real person.
After May 25, the Working Party 29 (WP29), the advisory body that guided developing the regulation, was replaced by the European Data Protection Board (EDPB), composed of the same people under a new brand. This regulatory body can fine companies found in breach up to 4 percent of global turnover or €20 million (roughly US$22.3 million), whichever is higher.
The GDPR was enacted to protect the rest of us from the tech giants who have, historically, proved irresponsible in safeguarding their users’ valuable information. It took years of negotiation between European legislators and representatives from the large, rich, international data-handling companies.
One concession granted to the Big Tech corporations was that the lead regulator be located in the same country in which the tech firms have their data controller. DigitalGuardian explained:
“In GDPR and other privacy laws, the data controller has the most responsibility when it comes to protecting the privacy and rights of the data’s subject, such as the user of a website. Simply put, the data controller controls the procedures and purpose of data usage.”
By contrast, “a data processor simply processes any data that the data controller gives them. Following the example above, the data processor is the third-party company that the data controller chose to use and process the data.”
Furthermore, the new EU law states very clearly that third parties have no proprietary rights to user data:
“The data processor does not own the data that they process nor do they control it. This means that the data processor will not be able to change the purpose and the means in which the data is used.”
Pop quiz! Which EU member nation has the most Big Tech data controllers?
The answer might just surprise you: it is the land of Shamrock Green, the Emerald Isle – yes, Ireland.
Big Tech companies have updated the landscape of Ireland in certain parts of the country, a memo missed by much of the rest of the world. The rich corporations are sharing their wealth with play-along countries who offer tax breaks and other incentives to build lavish office complexes and sluice money through the pulsing veins of the national economies.
Can you guess what the problem is today with the GDPR?
Politico nailed the answer:
“The designated lead regulator — the tiny nation of Ireland — has yet to bring an enforcement action against a big tech firm.”
That’s what happens when legislation builds in a conflict of interest.
There would be no GDPR if the Big Tech companies hadn’t been allowed to dictate the terms. They set up their good-buddy country Ireland, dotted with Silicon Valley firms that provide jobs and revenue, as their chief regulator.
What motivation does the Irish government have to levy financial punishments on the very companies that are boosting the national economy?
The answer is, as we have already mentioned: zero.
Instead, with Ireland as Chief Data Guard for Europe, the U.S., and other parts of the world, Facebook reintroduced their much-decried facial recognition software and data sharing after recently purchasing subsidiary WhatsApp and Google has come under the gun for unauthorized across-platform data sharing.