Celebrate our privacy today (and why all the privacy notices changes in our mailbox)
It was estimated by researchers in the US that ‘Reading the privacy policies you encounter in a year would take 76 work days’
That is why nearly nobody reads privacy policies. They are also unclear, filled with legal jargon, and what rights and choices do I have anyway than to accept?
That is one of the reasons why today is a very special day for our privacy as European citizens.
We gain many rights protecting our data from being handed over to anyone that pays just like that, from data we would rather not want others to know about being treated insecurely, and from the so many pages of privacy notices that nobody reads or understands.
This and more is what the GDPR (Global Data Protection Regulation) comes to effect today has on offer for our privacy.
Our privacy rights under the GDPR
Chapter 3 of the GDPR outlines all the rights we have. All the rights are related to processing of your Person Identifiable Information (PII). Where PII is any information that can identify you (a natural person not business) – name, surname, the combination of your post code, gender, and age which can identify you in combination with publicly available data but also your hair colour if you’re the only red head in the room.
And processing is any activity with your data, really anything – saving, changing, sharing, using,… as long as someone has your data – they are responsible for handling it according to the GDPR.
Amongst our most important privacy rights are:
1) We have right to access all data any party holds on us (art 15)
Your name, location information, eating preferences, IP, browser type, photo, sport activities … the list goes on.
You can write to any company or public organisation that has your data and request they provide you information on all data they hold about you. In case of google, for example, you go here to get a summary of your data.
If a company does not respond to you within 1 month (or responds stating it needs more time to respond in which case they can extend with 2 further months) or does NOT respond at all, you should contact your local authority (the AP in the Netherlands for example) where you file a complaint.
2) We have the right to correct or erase our data (art. 16 & 17)
If our data are incorrect, we should be able to change it (this is quite important in case of financial calculations, mortgage or where the government determines what we receive for example).
We also have the right to have the data deleted. This means that in case you pull out your consent (no I don’t want that newsletter or this type of cookie) or when an organisation has no contractual, legal or other legitimate reason to hold our data (art. 6) – they must delete our data.
Organizations should do this in any case since ones there are no legitimate reasons to hold your data, they should dispose of them as a standard.
3) We can restrict processing of our data and object (art. 18 & 21)
A lawyer and caligrapher in Spain sued Google so that obsolete information that violated his ‘honor, dignity and reputation’ be removed from Google. Some think this is going too far with privacy and against the freedom of information but with GDPR, you definitely have right to object.
You can thus object processing in case it can cause you harm even if there is a legitimate reasons for the processing.
In case you do not want an organisation to erase your data but the data are inaccurate, the organisation acquired your data illegally, when there is no more legitimate reason for processing or you simply object for the type of processing but you do NOT want the data to be erased, you can ask the organisation to restrict the processing.
You can object processing for example in case of marketing, direct marketing, where websites gather information about you that make a complete profile of you (combining information about your PC, browser, operating system and the websites you visit for example).
4) Right to get your data (art. 20)
Called the right to data portability.
This is your right to get your data an organization holds on you in a ‘structured, commonly used and machine-readable format’ so that you can transfer this data to another organization for example.
5) Consent and privacy policy - Why are you getting all those new privacy notices in your mailbox?
The past few days, we’ve all been receiving email about new privacy policy sometimes asking you to give consent to be kept in a contact list or to receive a newsletter. But why?
In the past, when you signed up for one service or were checking out your sales basket before paying in an online shop, there was a check box that was ticket already for you that said something about you the organization being allowed to use your information.
This is no longer allowed. When you sign up for one service, or check out, anything that has to do with additional processing that is not necessary for the contract should not be pre-checked.
Also, for every type of processing this should be asked for separately as well as clearly stated in a plain language.
You should see an unchecked box including a very clear statement of what you are agreeing to:
If you tick this checkbox you agree that we will sell your data to aliens invading us to protect the rest of the planet. If you want to know more click here.
In case a company previously had the checkbox pre-filled or if they did not provide clear information about what they do with your data, this ‘consent’ is no longer legal. They therefore do not have the right to process your data and must ask you to process your data in a GDPR correct way.
That's why all the new privacy policies and consent questions in your mailbox ;)
Have fun using your privacy rights!
Orange Icons: By Open Knowledge, Some rights reserved.