July 01, 2018, 11:22 AM 
If you use apps like Instagram, Facebook, Twitter, and well hey, Google, chances are you would have received notice from these and a host of other companies informing you that they have updated their privacy policy.
This is because a new regulation called the General Data Protection Regulation (GDPR) took effect in the European Union (EU), and companies have spent the past several weeks scrambling to comply.
It is a groundbreaking piece of legislation, which has the potential for worldwide ramifications, and aims to:
- Make organisations more transparent about what data they hold
- Prevent unnecessary data collection
- Give individuals the right to get organisations to erase their data
- Increase the penalties organisations face for misusing data
So it's a big deal?
Indeed it is, as the fines are hefty. A firm can be fined up to 20 million euros, or 4 per cent of their worldwide annual revenue, whichever is higher.
In case those figures don't look scary enough, consider this:
Last year, Facebook's annual turnover was approximately US$40.7 billion. This means a breach of the GDPR by a social media giant like Facebook could potentially put them on the hook for almost US$1.63 billion.
Ouch.
What does this have to do with me?
Many may wonder why this act is relevant to Singaporeans, since it is a law passed by the EU.
GDPR applies to any organisation operating within the EU, as well as any organisations outside of the EU which offer goods or services to customers or businesses in the EU.
[related_story]
This means that almost every major corporation in the world, including ones based in Singapore, must now have a clear GDPR compliance strategy.
The regulation was adopted by Europe's Parliament in April 2016, and organisations were given a two-year implementation period to prepare. This period ended on May 25, 2018, and the regulation is now fully in effect.
Oh ok, so it's like an European PDPA?
Consider the GDPR a more advanced version of the PDPA. The GDPR places more emphasis on privacy protection, though it is debatable whether it is a good thing or not.
Our own Personal Data Protection Act (PDPA) was passed on Oct 18 2012, though there are differences in both rigour and scope compared to the GDPR.
There are many differences between the two, which we've summarised and simplified here:
a) Scope
The GDPR applies to virtually all forms of personal data processing, while the PDPA has several glaring exceptions, such as not applying to the public sector.
This means that there are many ways for a company to process personal data lawfully under the PDPA under its many exceptions, but good luck trying to worm your way out of the GDPR if you process or possess any kind of personal data at all.
b) Consent
The PDPA requires consent to be given by the individual in order to process personal data, but does not specify how the consent request must be presented. The PDPA also allows deemed consent, which assumes that consent for data processing and storage is given if an individual voluntarily provides personal data to the organisation, and it is reasonable for the individual to do so.
To comply with the GDPR, companies need to explicitly ask you whether you allow them to use your data for a specific reason, rather than assuming you will allow it. It also included several criteria for consent requests, such as requiring consent requests to be separate from other terms and conditions, and requiring positive opt-in (no pre-checked boxes or default consent).
This means that companies that sneakily place their consent requests within their terms and conditions hoping that the individual will not read it fully may be liable for penalties under the GDPR.
A side-note about pre-checked boxes in online forms
Sometimes, especially on some airline ticket booking websites, you might come across sections that are automatically added to your cost because they have been pre-checked.
In Singapore, pre-ticked boxes are used by the likes of Singapore Airlines and Jetstar to auto-include travel insurance when booking tickets have already drawn a lot of flak. Consumers have complained that the pre-checked boxes confuse them, with many having bought things they did not need because they were careless.
With this in mind, it is easy to see how the same confusion could apply to personal data collected from the public. Many are simply unaware that they may have provided certain companies consent to process their personal data, due to similar pre-checked boxes being used.
Under the GDPR, the fact that they are pre-checked does NOT mean consent from the customer has been given because they are easy to overlook and many consumers may not fully understand what they are agreeing to.
Given this example, it is easy to see how users may fall victim to pre-ticked boxes and give away more data than is necessary.
c) Data minimisation
Less is more. Under the GDPR, an organisation should only collect personal data that is necessary, and should not ask you for irrelevant information.
On the other hand, the PDPA allows any personal data that is reasonably appropriate to be collected.
However, it is not clear what "appropriate" means in the context of the PDPA.
In essence, you can say goodbye to companies asking for your phone number when they don't need it.
d) Correction and erasure of data
The GDPR mandates that time is of the essence when there is a breach of data. An organisation has just 72 hours to own up to a data breach, or risk being fined.
On the other hand, the PDPA possesses no mandatory data breach provisions, meaning there is no actual need for any company to report a data breach. However, failure to report a breach will lead to stiffer penalties.
While the GDPR may seem a lot stricter on paper, the PDPA should not be messed with as well.
Data breach? Does this have anything to do with those super-long Facebook hearings in Europe and Singapore?
Yes indeed. Data breach reporting was a point of contention during the Select Committee on Deliberate Online Falsehoods hearing earlier this year, where Facebook representative Simon Milner was grilled for three hours for data leaks involving Cambridge Analytica, a data analysis and marketing company.
Screenshots via video feeds
Milner was repeatedly asked why Facebook did not reveal that the personal data of 50 million Facebook users had been obtained by Cambridge Analytica.
Although Facebook didn't flout any regulations under the PDPA, with the introduction of the GDPR, a repeat incident will land the company in hot soup, given the strict penalties involved.
All this sounds pretty ideal from the users' perspective. But how are they going to enforce something as huge as this?
Excellent question. Indeed, a regulation with such far-reaching effects attracts both controversy and challenges in terms of implementation.
The regulations make it clear that it applies to any business that processes data of an EU citizen, regardless of geographical location. The question is, how will the EU enforce sanctions on a non-EU company, for instance, and will other countries respond with their own borderless regulations?
We don't have answers, and we hope the EU does.
Another consideration is that it's so pro-user that it could potentially be exploited as well. Within the GDPR, there is a "Right to be Forgotten" clause, where any EU citizen can request the removal of any data linked to the individual that is held by a company.
This also certainly sounds like it could potentially extend to things like news articles — can an individual demand that an article written about them be taken down?
The conditions stated here are relatively broad and could foreseeably be abused.
So... back to the flurry of updated privacy policy emails and in-app prompts. Does this mean I shouldn't have blindly ignored and accepted these emails and new terms?
Unfortunately, not accepting the new terms is not an option with some apps and services, thanks to clever manoeuvring by tech companies like Facebook, Instagram, WhatsApp and Google.
In order to adhere to the GDPR, many companies are asking consumers for consent to their terms and conditions, with a catch — if you do not accept the terms, then you cannot use their service.
This take-it-or-leave-it approach displayed by these companies is worrying, because it amounts to what is essentially blackmail. These tech giants realise that it is unlikely that consumers will ditch their platforms, chiefly because of the amount of time they already invested into building social profiles on them.
What we're saying is if you have a Facebook account with 1,000 friends, or are on Instagram with a similar number of followers, it won't be easy for you to quit in protest of their new, intrusive data collection terms. Most people will simply choose to agree to them all in order to use the service — which is exactly what the tech companies are betting on.
Hold up. So these big companies are basically ignoring the law?
If you suspect these companies are exploiting a loophole, you aren't alone.
A privacy group known as NOYB, which stands for "none of your business", emerged almost immediately after the GDPR went into effect to file a lawsuit against these social networks.
They argue that the act of barring users who do not consent to data handling that isn't strictly necessary is in itself breaking the very law they are trying to circumvent.
NOYB's founder, 30-year-old Max Schrems, has already won a historic case against Facebook in 2015. Should his new lawsuit succeed, users of these social networks may be able to opt out of targeted ads, for instance.
The 30-year old Austrian lawyer who is taking on Facebook. Image via
This, regrettably, could also potentially have huge ramifications for users, as targeted ads form the bulk of the profits for these companies.
In order to make up for lost revenue, they might start reverting to general ads that are not user-customised. They might start charging fees to use their services. They may even pull out of Europe entirely, in order to avoid having to face these laws.
However, these scenarios will only come true if the EU data protection authorities can crack down even further on these companies. With the law as strict as it is, and no crisis in sight, they may simply be content to lay down their arms for now.
Privacy is not a sexy subject, and there are many who will click "I accept" just so they can watch another cat video.
Top image via GDPR Information Portal
If you like what you read, follow us on Facebook, Instagram, Twitter and Telegram to get the latest updates.