There’ll A pyrrhic victory for privacy? AT
From today, everyone from shops to charities, companies and even your local church must have YOUR permission to contact you. But already confusion reigns ...
Over recent weeks, millions of us have been deluged with polite begging letters and emails. They all ask us to give them our express permission to keep bombarding us with marketing material and to continue harvesting our most personal information.
Such correspondence comes from a host of organisations — such as those which we have used to buy products (and they have subsequently kept our details), charities, farm shops, local societies which send us newsletters and internet giants such as eBay and Google.
So we may be contacted out of the blue by a small florist from which we bought Auntie Doris a birthday bouquet or from Save The Children, to whom we once gave a donation. In essence, they are obliged by law to get us to instruct them that we wish to remain on their mailing list.
This is the result of an eU-inspired rule called the General Data Protection regulation (GDPr), which comes into force today. It represents the biggest shake-up in data protection rules and changes to privacy laws since the internet was conceived.
It is designed to ensure consumer protections are fit for a world where more personal data is being generated and stored by third parties than ever before.
As well as putting a curb on the ability of behemoths Google, Facebook, Apple etc to barrage us with unwanted correspondence, it offers a welcome opportunity for us all to cull the number of emails and junk letters we receive.
As from today, it will be illegal for data giants to use and sell people’s information without their express consent.
The new rules also make it easier for us to access the information that organisations hold about us. As ever with such a major piece of new legislation, there will be winners and losers.
Worryingly, many small charities fear they will lose contact with donors and therefore their income will be reduced. Other small organisations are concerned that the extra bureaucracy involved may become intolerable.
But there will be advantages — apart from the chance to halt the flood of junk mail — such as the right to ask any company for the data it collects about us, and that includes asking our employer.
be a right, too, to be sent a copy of that personal data, free of charge, and in electronic format. For their part, businesses have inevitably raised concerns about the costs of compliance, which include the requirement for firms with more than 250 employees to hire a data protection officer to deal with all these issues.
Those who break the rules face fines of up to ¤10 million, or two per cent of global turnover (whichever is higher), for small breaches of the new regulation, rising to ¤20 million, or four per cent of global turnover, for more serious offences.
The GDPr places a duty on every company or organisation that holds personal data — such as names, addresses, phone numbers, email addresses and IP addresses (the number assigned to individual electronic devices) — to ensure they have the consent of the owner of that data.
hence the flurry of begging ‘opt in’ messages.
Initially, I was overjoyed to learn of the General Data Protection regulation. This week, my email inbox has been overflowing — as always. There were the neverending requests from companies and organisations I have used only once or never heard of.
One asked, for example, whether I was having ‘complications’ after my hernia surgery. however, I have never had hernia surgery.
God knows how the firm got my email address. Another, bizarrely addressing me as ‘Judith’, wanted to sell me property in Dubai.
No wonder I thought the introduction of the GDPr would be a once-and-for-all opportunity to ignore emails and never be contacted again.
And yet, this new eU legislation has a downside. I run the cricket club in the Cambridgeshire village where I live, and regularly send emails to a list of 40 players of varying involvement and enthusiasm.
Under the GDPr, I will have to get the consent of everyone to keep sending them correspondence, or potentially face a fine.
Similar sports clubs all over the country have the same problem.
ArcheryGB, an umbrella organisation for dozens of clubs across Britain, has had to give advice to its members. It says they’ll need to comply with the regulations ‘or penalties could be imposed, including very big fines’. It explained that the GDPr will apply ‘whether you pay staff or are all volunteers, whether you have a clubhouse or not, whether you have ten or 1,000 members … there are no exemptions!’ And it’s not just sports clubs. A churchwarden, who puts together a list of volunteers to read the liturgy at his parish church, worries he will be breaking the law.
he says he will not be able to include anyone in a rota unless they have given him their express consent. Forlornly, he says: ‘The wonderful european Union has produced a regulation, directly enforceable in english law, which decrees I can be fined up to ¤20 million.
‘ I do not understand why we all just give in to this sort of appalling nonsense. Do we really object to continuing to receive emails from people with whom we have been happily communicating for years?’
The responsibility for incorporating the new regulation into law has been delegated to Britain’s Information Commissioner’s Office (ICO).
Naturally worried about my village cricket club correspondence, I referred to its website. But it is full of vague statements, such as: ‘ You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.’
how are church volunteers, local cricket club secretaries and anyone else who helps run a community organisation expected to carry out an ‘information audit’?
The Information Commissioner’s Office website went on: ‘You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPr implementation.’ But there is no clear explanation what those ‘necessary changes’ are.
Confused, I rang the ICO, seeking reassurance with a series of hypothetical issues that I might confront with my fellow cricketers. A spokeswoman told me: ‘We don’t answer theoretical questions.’
Instead, she sent me more guidance. An online questionnaire, which I completed, concluded: ‘Yes, you do need to get ready for the new law.’
Separately, a statement by Steve Wood, the deputy information commissioner, set out to dispel a number of myths and misunderstandings surrounding GDPr.
Contrary to the advice of the questionnaire, he said that clubs were not necessarily prevented from sending out newsletters without the permission of recipients.
So much for clearing up misunderstandings!
Also, Mr Wood’s statement added: ‘ Where you have an existing relationship with customers who have purchased goods or services from you, it may not be necessary to obtain fresh consent.’
Surely this negates a key aim of the GDPr?
In any case, the word ‘ may’ is hardly reassuring when breaches can lead to heavy penalties.
So I rang the ICO again and asked: ‘If I got someone’s email address five years ago, do I now need to seek their permission to send them emails?’ They couldn’t answer, but told me: ‘ We’re not going to come after people who organise church rotas. As for large firms, our advice is not to panic.’
leAST they’re promising to show a bit of common sense. But that doesn’t change the fact we are about to have a powerful piece of new law, with provision for huge fines, and yet few seem to know what it means.
Meanwhile, unwanted emails keep dropping into my inbox — such as a firm inviting me to enlarge my breasts.
Will the new regulation do anything to stop them? Probably not, as there is already a law which is meant to cover the sending of unwanted marketing emails — the Privacy and electronic Communication regulations of 2010.
Although many firms have been fined heavily for breaching these, the regulations seem to have had little impact on the amount of unwanted emails we all receive.
Indeed, a lot of these messages, especially the fraudulent emails asking me to transfer money from my bank account in return for a large financial reward, come from abroad and are therefore beyond the regulations’ remit.
Of course, commercial firms are busy trying to find loopholes in the General Data Protection regulation and will undoubtedly exploit the fact it only covers what happens in europe.
In fact, I bet you ¤20 million that all the big Silicon valley-based data giants who make such handsome profits by plundering our information will find a way to duck the rules.
Facebook, for example, has already changed the territory where about 70 per cent of its users are registered — from Ireland to the U.S. — and thus away from the reaches of european authorities.
It doesn’t take a genius to realise that billionaire data company bosses and fraudsters will carry on pretty much as before, while the lives of church volunteers and village club secretaries are made much more difficult.
I would ask you to send me your tale of woe about these new regulations — but it would probably get lost among the avalanche of unwanted nonsense already bunging up my inbox.