Eleni Kallea
Eleni Kallea is a Brussels based EU Affairs Consultant & Communications Specialist, currently working as a Team Leader EU Communications for the Europe Direct project of DG COMM, European Commission. She holds a BA in Law, a MA in Translation and a MSc in Information and Communication Systems Engineering.
Introduction
After a decade of scandals regarding security breaches and leaks of personal data by public and private collectors, the European Union implemented in 2018 the General Data Protection Regulation 2016/679 (GDPR). The GDPR establishes a broader framework for the protection of personal data, larger than any similar regulation that has ever existed in the EU or elsewhere. From a technical point of view, any company that processes and stores information about EU citizens within EU countries must comply with the GDPR even if it does not have a business presence on the continent. The purpose of GDPR is to offer EU citizens optimal protection, to protect their data from misuse and to keep it fully under their control.
Nowadays the use of social media is becoming more and more widespread, hence data protection must be their main goal. The GDPR lays down rules for the collection, analysis, and processing of users’ personal data; rules to which social media must adapt and review their policies accordingly. This article examines the changes imposed by the GDPR on social media regarding data protection by default, all within four years after the implementation of GDPR in the EU. Data protection by default means that the user service settings must be data protection friendly from the start and that only data which is necessary for the purpose of the processing should be collected. This article outlines a first assessment of how social media managed have lived up to the requirements imposed by Article 25 GDPR. In light of the latter, social media should implement appropriate technical and organisational measures in an effective manner and integrate the necessary safeguards in order to protect the rights of data subjects. That obligation relates to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.
Protection of users’ privacy in social media
The protection of users’ privacy falls into two main categories: security-oriented engineering methodologies and privacy enhancement technologies. The former focus on methods and techniques for addressing security issues (including privacy) during the early stages of system development and the latter describe technological solutions to ensure user privacy during system implementation. However, in the context of social media, a combination of solutions from both categories is used. The main issue that arises is that in addition to the development of new technologies aimed at protecting privacy, social media service providers avoid their use and application in their privacy policies, as they prefer to maintain control over users’ personal data. On the other hand, users can not choose an implementation technique to protect their data, but are forced to choose between specific options offered by the social media service provider. (Kosta et al., 2010)
The concept of Privacy by default
Recently, data protection has been approached more holistically by scholars as well as by regulators and organisations that promote data privacy and emphasis is placed on addressing privacy concerns at all stages of system development. Privacy by default is a principle of systems engineering that requires that individuals’ privacy be respected so that the protection of their personal data is taken into account at all stages of the systems life cycle, from early onset to development and implementation and end to operation, maintenance and disposal. (Mitrou & Karyda, 2012)
The concept of privacy protection as a rule (by default) aims to protect individuals precisely when it comes to a lack of understanding of the risks or loss of control over the information itself. (Mitrou, 2019) The choice of “default” in software is not a new idea, as Developers must constantly address the issue of appropriate information and communication technology presets. However, the principle of “data protection first”, as required by the General Data Protection Regulation regarding data protection by default, was neither the standard behaviour of products, services, and applications nor a regular principle in software design methods. (Bourka, 2018)
A technical issue with a negative impact on the effectiveness of the security model is that certain rights are grouped in a way that makes it difficult, if not impossible, to reach a fair agreement between users and applications. (Tsavli et al., 2014). In fact, Article 25 (2) of the GDPR requires data protection-friendly presets in such a way that only the minimum volume of personal data is processed, the processing is minimal, the shortest storage period is selected, and access to personal data is also minimised. Thus, the goal of data protection by default is to ensure the fundamental principles of data minimization and storage limitation in computer systems – at least in the beginning when the user has not changed the pre-installed settings – always considering the overall context of data processing. personal data. This contributes to the GDPR’s goal of fair processing of personal data. It can also contribute to other important provisions of the GDPR, such as the security of the processing of personal data.
Developers, manufacturers and the principles of data protection
The obligation for data protection by default is closely linked to that for data protection under Article 25 (1) GDPR, which stipulates that the controller implements appropriate technical and organisational measures aimed at enforcing data protection principles and integrating the necessary safeguards into the processing of personal data. Default data protection falls within the overall concept of mechanical privacy, i.e., the integration of privacy requirements into the design and operation of information systems. In this way, data protection by design and default is closely related to the security of processing (Article 32 GDPR), which is another key requirement. The choice of defaults is not insignificant, even in terms of data security and protection, as it requires an assessment of the necessity for each processing purpose, in balance with other equally important requirements, such as usability. At the same time, it seems that the default settings on modern systems and services do not always respect the principles of data protection, and in some cases, there are even patterns of user guidance for privacy options, which can often lead to extensive monitoring of users. (Bourka, 2018)
As for the configurable functions, the developers must determine which of them should be preset, i.e., set to specific values, which represent the default behaviour of the computer system in case no one changes these settings. Alternatively, it could deviate from the default of any configuration. e.g., when installing the computer system or service, users (or local administrators) could be asked for their options, thus configuring the system according to their needs. For this purpose, the default on an IT system or service refers to a preset or default value assigned to a configurable setting of that system or service. This setting will not change without user intervention. It can vary from a single option to multiple options on the same function, all of which together formulate the so-called “default settings”. In addition, it may be related to the basic functionality of the system or the provision of additional or additional functions of the system. Each time a default is assigned, user interaction is clearly minimised. Therefore, the defaults are necessary to allow the smooth operation of systems and services without burdening the users with a multitude of questions and options. At the same time, using defaults can increase user errors, i.e., if the defaults are not selected correctly or if the users are not sufficiently informed. For the European market for the processing of personal data, GDPR has defined the principle of “data protection by default” in Article 25 as a technological perspective of the well-known – but not yet well-implemented – principle of necessity. The GDPR recognizes the power of system design and requires appropriate defaults that put data protection first and ensure that only data processing is performed to the minimum extent required for a purpose.
In the process of designing information systems or services, the manufacturer of such a system or service must decide whether any functionality or behaviour of the system or service is built-in or rather configurable. For each configurable component, it must then be decided whether there is a preset or not (i.e., there is no default option; the user would have to explicitly select the setting before use). For each preset, the configuration in accordance with Article 25 (2) GDPR must be defined and implemented. This can be done by the manufacturer or the data controller, based on the information provided by the manufacturer, who develops the relevant system or service for a specific data processing function. In any case, the data controller is the one who is responsible under the GCC for the protection of data by default and, therefore, must be able to understand the default settings in the system or service, as well as possible options for changing the data. defaults. (Bourka, 2018)
GDPR and default use cases
In the GDPR, the reference to the “state of the art” is made not only in Article 32, security measures, but also in Article 25, thus extending this point of reference to all technical and organisational measures incorporated in the processing. In the context of Article 25, the reference to the “state of the art” imposes an obligation, in determining the appropriate technical and organisational measures, to consider current progress in the technology available on the market. (European Data Protection Board, 2020)
The most restrictive use case by default allows access to the basic function of the system (e.g., initial operation, factory settings). This must always be available and initially selected without requiring changes by the user. The default use case must be the one that complies, in the most restrictive way possible, with the principle of minimization. Data controllers must select the appropriate configuration options to ensure that only the data that is strictly necessary to achieve the purpose of the processing will be collected. It should be noted that this case of minimal intrusion may not be unique and that, depending on the complexity of the treatment, there may be several cases of restrictive use. In such cases, the data controller must justify the choice of the default. The user must modify the default configuration if they wish to extend the processing of personal data beyond the legal basis on which the “default” configuration was based, or if the new functions are for purposes other than compatible with the original purpose for which the personal data were originally collected. In accordance with the principle of justice laid down in Article 5.1.a of the GDPR, the controller must ensure that no dark patterns are used, i.e., user interfaces designed to influence, through psychological manipulation and covert form, the choices of the subject, at least as regards the processing of his personal data. An example of this type of pattern is to offer the user an attractive purpose based on their behaviour analysis to hide the transfer of data to a third party for purposes that are not clearly defined. (Spanish Agency for Data Protection, 2020)
Conclusion
Even if social media have a legal basis for processing data, there are other requirements to be met to be compliant with the GDPR. This means that social media have to plan and decide how an individual’s personal data can pass through in a safe and secure way. Social media have to ask individuals for permission to use their personal data, whilst simultaneously providing a legitimate reason as to why this information is needed. The next step is implementing privacy by default: failing to do so, results in breaching Article 25 of GDPR.
Article 25 of GDPR tackles the need to protect data subjects against an uncontrolled exposure to data processing mechanisms. In addition, article 25 seemingly attempts to address the issue by proposing the integration of legal rules and principles in information systems architecture and tries to bridge the gap between technology and the law. The need for interdisciplinary legal and IT collaboration is greater than ever and in this context, the data protection provision by default plays a catalytic role for the ever-evolving social media industry.