Cambridge Analytica has become a household name in recent days as we learn how they had access to valuable data about 50 million Facebook users which may have played a role in influencing the US elections in 2016. There are a lot of loose ends to this story that are emerging as every day goes by. This brings to the fore an issue that has existed for a long time – based on enthusiasm and euphoria, new technologies are adopted by millions and millions of people all around the world without carefully thinking through important issues such as data security and privacy. Rules and regulations that can potentially help, take a long time to develop and they lag. The rapid pace of technology in the past three decades, fueled by the adoption of internet, has increased this gap tremendously. Unfortunately, there doesn’t seem to be an end in sight.

Talking about rules and regulations, we are in the midst of implementing necessary protocols and controls as required by the European Union called General Data Protection Regulation. As the site reminds us, we all have 63 days to comply!

A disclaimer – this is a pretty complicated regulation, the details of which are still being vetted carefully and what you will read below is my interpretation based on internal discussions and consultations with other attorneys.

The spirit of GDPR is to provide privacy protections to not just the citizens of EU, but anyone whose personal data is collected when they are within the geographical boundaries of the EU and by any entity globally. In other words, this regulation is not just about the citizens of EU or entities in EU. For example, if Wellesley College collects personal data of anyone while they are in the geographical boundaries of the EU, then we need to comply. Personal data collected from Wellesley students, while they are on study abroad in France, is governed by GDPR, regardless of their citizenships.

US data privacy laws are generally dependent on the type of person and type of information. For example, FERPA provides data protection for students in educational institutions and HIPAA protects health information of individuals. GDPR is very broad in that sense and it covers all personal information regardless of who is providing their personal information.

GDPR states that the individual providing the data has certain fundamental rights. It requires that all persons covered under the regulation be notified of a data breach within 72 hours of discovery of such a breach. They have the right to know how the personal information is collected, protected and used; they have the right to request their personal information at any time; they have the right to request inaccurate data be corrected; and they have the right to be forgotten in the sense that they can request all of their personal information be erased.

If there are genuine business reasons for retaining the personal information, some of these clauses do not apply. For example, it should be obvious that students cannot ask that their grades (personal information) be erased, but alumnae or ex-employees can request that we erase their social security number (we already do this after a certain period of them leaving the institution).

Penalties for non compliance is pretty stiff. Though it is tiered, the maximum is 4% of annual turnover or 20 million Euros, whichever is greater!

From the end user perspective, this is a great framework for protection. However, as I said earlier, this is regulation that is being imposed pretty late in the game and the actual implementation of these is proving extremely challenging for everyone. However, the fact that it is challenging cannot be an excuse and we have to comply. So, we are all working hard to do just that.

As a first order of business, we are taking an inventory of all systems that collect personal information so that we can be transparent with the users. We will then articulate the data retention policies and associated business reasons and prepare for the logistics of handling inquiries and data erasure requests and how we should be responding.

One of the most important part of the regulation is about consent to collect personal data. “companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.​” Given that existing consents, written by lawyers, are lengthy, illegible and full of legalese, this would be a major challenge. Many commercial enterprises intentionally make it so complex and if you are stickler for such details, you need to hire a lawyer to read and interpret!

I am a big fan of this consent requirement because I have always argued that we need  detailed versions of policies because they are important, but we also need a short and sweet versions. For example, DMCA regulation addresses copyright in the digital age and came into light after peer to peer software such as Napster was used essentially to share content freely without compensating content owners.

We ask our students to agree to various policies one of which is copyright policy which reminds them not to engage in illegal sharing of copyrighted materials such as music and film. However, these policies are too long for the 18-22 year olds’ attention span and I wanted a short and sweet version “Don’t even think about sharing or downloading of music and films illegally! If caught, we won’t help. You will pay a hefty fine and potentially go to jail. Interested in learning more? Click here…” I think this will pass the GDPR consent test, don’t you think?

Facebook Terms of Service is 21,333 words long! This doesn’t include thousands more that are in linked pages elsewhere. Apparently, according to a  NY Times piece on Cambridge Analytica, when we create a Facebook account, we agree to the fact the Facebook “routinely allows researchers to have access to user data for academic purposes — and users consent to this access when they create a Facebook account.” Really? I saw this somewhat buried here.

Of course, I didn’t have the time or inclination to read Facebook terms or service when I signed on to the Facebook craze, so I guess I signed away my rights!