As the giants of the internet such as Google, Apple, Facebook and Amazon collect, analyze, store, use and share enormous quantities of personal data, the issue of data privacy continues to be a priority. The explosion of data, and in particular personal data shared by consumers, has made data protection an ever more complicated challenge. At its heart, lies a delicate balance between legal frameworks and international relations.
"The explosion of connected objects and healthcare applications is generating massive amounts of personal data whose legal framework is still unclear." says Nathalie Devillier, a professor and researcher at Grenoble Ecole de Management who specializes in e-healthcare, telemedicine, privacy rights and data protection.
One of the agreed upon legal conditions for collecting personal data is the concept of “user consent.” A user must consent to their personal data being used for the purposes of an application or other activity. “However, this is a delicate subject. For example, when you download a healthcare application, you implicitly accept a contract that approves the processing of your health-related personal data. It’s non-negotiable if you wish to use the application. In practical terms, the legal principle of ‘user consent’ doesn’t pan out.” explains Nathalie.
“Collecting sensitive personal data can result in information about a user being sold to third parties or worse yet, being used to discriminate during a job interview or when buying health insurance.” adds Nathalie. This highlights the need for both individual and collective surveillance of how personal data is used by companies. “The need to educate users is a critical part of ensuring they can give their informed consent. The risk is that the gap in understanding between users and data collectors will continue to widen.”
Europe takes a step towards tighter regulations
On April 14, 2016, the European parliament voted to overhaul the current data protection regulations. This new set of rules is designed to allow users greater control over their personal data. Key provisions include:
- A user’s clear and affirmative consent to the processing of his or her data
- The right to be forgotten
- The right to access and modify your personal data
- The right to refuse the use of your personal data for user profiling
- The right to transfer personal data from one service provider to another
- The creation of a central European authority for oversight
- The possibility of administrative fines up to 4% of a company’s turnover or 20 million euros (whichever is greater)
Despite these improvements, Nathalie highlights the fact that “although the 20 million euro limit is much higher than previous European limits, we know that the maximum fine is rarely applied. In addition, if you take the US for example, fines are often agreed upon through mediation because going to court against a class action lawsuit would result in much higher penalties. And these agreements are already often in the millions of dollars!”
Data protection is still a matter of diplomacy
Ever since Edgar Snowden’s leaks about European surveillance carried out by US intelligence services in collaboration with major internet players, the EU and the US have been engaged in negotiations to protect personal data. In 2015, the 15-year-old Safe Harbour agreement, which regulated the flow of data from Europe to the US, was struck down by the Court of Justice of the European Union. In its place, a new agreement known as the Privacy Shield was set up to ensure companies such as Facebook or Google protect European users’ personal data when transferred to the US.
“However, the legal framework that was negotiated without much media attention is in fact quite similar to what was already in place. As long as the principle of ‘adequacy’ still applies, it will be hard to apply real restrictions to the transfer of data.” says Nathalie.
The ‘adequacy’ principle is the idea that to transfer data to a country outside the EU, said country must demonstrate adequate levels of protection of personal data. “The issue is that adequate doesn’t mean equivalent. As a result, this legal framework is still dependent on diplomatic negotiations. When countries are negotiating major international agreements, data protection can easily become a secondary issue.” concludes Nathalie.