This week marks the second anniversary of the world’s most sweeping data protection legislation — GDPR. The European Union’s General Data Protection Rule, with its stated goal of increasing privacy and extending data rights, has raised awareness of our precarious privacy and spurred other governments to enact legislation too. Most notably, California, home to some of the world’s largest technology corporations, has followed suit with the California Consumer Privacy Act (CCPA).
The initiatives focus on the so-called Right to be Forgotten, where companies are obliged to erase data collected on consumers. In theory, these protections should help people reduce their exposure to intrusive ads, spam emails and, most importantly, the frequent data leaks and hacks that make them vulnerable to identity theft. But, as well-intentioned as the laws may be, they fail consumers. They fail because they put the onus on individuals to fight the corporations alone, effectively creating an unfair fight that the tech giants end up winning. In two years, just a few companies have been fined under the GDPR rules for failing to protect consumers.
But we can fight back. We can take control of our data. The solution lies in using technology to fight technology. Rather than have individuals labor to avail themselves of legal protections against the corporate data collectors, we need to promote tech tools that automate the complicated processes to exert the Right to be Forgotten.
Opting-out is a full-time job
Companies collect your data and sell it, spawning a rash of databases of personal information that hackers all too often steal. But what if you could make your information disappear? If your data isn’t there in those databases, thieves can’t steal your identity. Instead, like a ghost, you can explore the Internet safely and reduce your risk of becoming another of the millions of data breach victims.
The problem with the current privacy laws is that individuals must force companies to comply and delete their data to prevent it from being resold or worse, stolen. It is a manual process that needs to be served to thousands of different companies, with new ones appearing every day.
For most internet users, it would be impossible to remember every website they handed over data to in the form of signups over the past two decades. To protect their data, users would have to manually opt-out of every website they have ever signed up for and hope that they did it correctly and that companies comply. There are so many companies out there it would be a full-time job to submit millions of opt-out requests.
In 2019, there were more than 2,000 confirmed data breaches and 4.1 billion records exposed in the first six months of the year. On average, 31% of data breach victims later have their identity stolen, according to Experian.
Companies’ data privacy practices are often lacking and antiquated. The average time for companies to identify a breach in 2019 was 206 days, according to an IBM study. That same study found that 77% of security and IT professionals indicated they do not have a cybersecurity incident response plan applied consistently across the enterprise.
Proactive privacy protection
The privacy concerns of consumers are only heightened in these times of turmoil too. From contact-tracing apps to immunity passports, governments and businesses are pushing through new schemes to collect even more data on people in the rush to prevent the spread of coronavirus. For sure, some of these plans say they will take care to protect data privacy. But the persistent breaches suffered by consumers suggest that generally the more data that is harvested the more vulnerable we are.
If the history of data breaches tells us anything, it is that we are likely to see more massive hacks and leaks leading to private data theft because of all of this new data collection in the fight against coronavirus. And what then? The pattern will play out as usual — a mea culpa from the companies responsible and another episode of consumers scrambling to change passwords and secret question codes, reacting — in vain — only after the theft has been reported. The system currently fails consumers, who are like homeowners changing the locks on their door after burglars have cleaned out their house.
We are two years into the experiment of legislation to protect data privacy, two years that have served to show that consumers will remain vulnerable to attack as long as we all persist with a reactive posture of acting after the fact. Instead, it is time for consumers to be proactive, to use available tools that thwart the threat of data theft by automating the process to force companies to delete information. After all, a thief can’t steal your money from a safe, if you don’t have any cash in the vault in the first place.
(Harry Maugans is the founder of Privacy Bee, a managed privacy solutions company that helps businesses comply with requests to delete consumer data.)