Amid online privacy concerns, Europeans can breathe easy. A citadel of pro-consumer regulations, the European Union (EU) is now on its way to harness the tech titans, who happen to be in a bit of a scramble these days. Indeed, the EU’s implementation last week of data protection rules under the ‘General Data Protection Regulation’ (GDPR) directive has given rest of the world, and Pakistan, a template to follow.
The EU bosses are rightly treating ‘data protection’ as a fundamental right. They intend to form a ‘digital single market’ by enforcing GDPR on all companies – both tech and non-tech – no matter where they are based, so long as they are handling user data or tracking user behavior within EU. Companies are claiming compliance burden and face potential penalties; but GDPR clearly has the users’ back.
For instance, a personal data breach would now necessitate that the user be informed of the same if the user’s well being is put in danger.
User can now ask a company to erase their data in case it erroneously represents them. Besides this so-called ‘right to be forgotten’, users can also demand their data back or ask for that data to be transferred to another company.
Perhaps, the most significant GDPR provision requires companies to take users’ informed consent before handling their personal data for internal and/or external use. It notes, “…silence or inactivity will no longer be considered as valid consent as a clear affirmative action to express the consent is required…”
Taking user consent will ensure that companies do away with legalese one finds in long-winding terms & conditions; instead, they will cut to the chase: ask for permission in clear and concise manner.
This ‘opt-in’ regulation is where tech giants like Facebook and Google might stumble. On these platforms, it’s ‘all or nothing’ – that is, users have to agree/check all the boxes to be able to use their platform.
Companies are also required to tell their users as to what purposes their data will be processed and with whom it will be shared. This will likely have negative impact on digital advertising and mass marketing, with a positive spillover on conventional advertising media.
In Pakistan, data protection is a major concern. Existing laws – such as the Prevention of Electronic Crimes Act, 2016 – don’t go too far. The recent, belated release of the Digital Pakistan Policy leaves it for the next government to enact the envisaged data protection and privacy laws.
Meanwhile, episodes like the Careem data breach earlier this year threaten privacy of individuals partaking in online economy.
In addition, it is feared that users’ personal data is sold to third parties by unscrupulous individuals at telecom and broadband operators, thus violating user privacy and fueling spam.
Surely, Pakistan doesn’t enjoy the kind of economic muscle and policing capacity that the EU has. But GDPR is common-sense regulation which can be implemented through a dedicated, serious-minded data protection agency. If the EU’s regulations catch up with other developed economies, it may force tech firms to follow the same data-protection protocols in developing countries.
But that likelihood is perhaps years away. The onus is now on the next government to ensure safety & security of online users.