Changing Data Protection laws

17 April 2018

Interview with

Richard Clayton, Cambridge University Computer Laboratory

Now, we’re following the ongoing story of social media and our data use; Facebook CEO Mark Zuckerberg has been answering some very tough questions recently from US politicians in the wake of the announcement that information about millions of Facebook users was passed to a third party, Cambridge Analytica; this has got many of us thinking about how much companies like Facebook know about us, and how they are using that information. Part of the problem stems from the fact that the law has been slow to keep up with the pace of technology. But, on the 25th of May 2018, the European Union are going to introduce a raft of new data protection measures, called the General Data Protection Regulation or GDPR that will address some of these issues. Richard Clayton is a security researcher in the Cambridge University Computer Laboratory.

Richard - Facebook is basically an advertising company; they exist to make money, like all companies. They make money by putting adverts in front of people and they make more money if the adverts go in front of people who are interested in the topics of the adverts. And if people click on them, if people buy the products which are advertised and the more you know about people on your platform the better you can place the adverts.

Chris - One person pointed out - I think one of the US politicians who was questioning Mark Zuckerberg - pointed out that actually the reach of Facebook extends well beyond Facebook’s own website doesn’t it, because there are all these ‘like’ buttons all over the internet? On the Naked Scientists, for example, we could but we haven’t, but we could have a button saying ‘I like this,’ and that would tell Facebook that a person on that page likes that particular piece of content, which means Facebook is harvesting information about people from well beyond the scope of its own online realm.

Richard - Yes, indeed. And also many apps or many websites let you sign in using your Facebook credentials and, again, Facebook learns the information which comes from there. And indeed, certainly in the past, it’s been the position that if people signed in with Facebook then where you’d signed into was able to see information about the people who had then arrived on their particular site.

Chris - And the EU’s new approach to data protection, which is coming in shortly, will that have teeth and will it make a difference to this sort of behaviour?

Richard - It certainly has teeth and it has made a lot of companies concentrate very hard on whether or not they’re going to meet the new rules. Because fines under the GDPR can be up to 20 million Euros or 4% of global turnover, whichever is higher. And if you’re Facebook with an enormous global turnover, an eye watering amount of money which they risk if they don’t correctly behave under the new legislation.

Chris - One other interesting thing I noticed in reading the terms of the legislation is that it extends beyond the shores of Europe. So even if you’re not in the EU, if you are a company anywhere handling data from an EU citizen you’re potentially liable to that act.

Richard - It is even wider than that. Because it applies not just to EU citizens but anybody who happens to be in Europe. So, if you’re an American and you come to Europe you will suddenly get EU rights, which you would not have if you stayed in the United States and, effectively, that means that people are treating this as a global law.

Chris - It sounds like a jolly good thing doesn’t it? But what’s to stop someone going to a country that does not respect EU values, EU law, for instance Russia? There are various entities which are now based in Russia online, and they do that because they know they’re beyond the reach of various laws and so on.

Richard - That’s obviously a problem. But large companies tend to be multinational, so even if they are no engineers in the EU, then there may well be a sales operation here and therefore there’s money or there’s people that you can grab. We’ve seen in the case of people breaking laws like anti-spam legislation, that we can scoop them up at the airport when they go on holiday to Barcelona.

Chris - Even though the EU acts within Europe, are other countries, notwithstanding some that don’t want to, but are other countries signed up to this? So if a person in America does something which breeches EU rules, can the EU reach over to America and get them, or South America, or Australia?

Richard - Possibly not unless the come here. But, equally, the problem the EU sees is people behaving within the EU, and then the large multinationals, the household names, are that they produce appropriate systems and it’s quite clear that they’re going to. They’re doing a lot of engineering at the moment in order to make sure they meet the May deadline and you will get all sort of new rights. You’ll see new permission things popping up on screens; you’ll see that you can do new things like export all of your data.

Chris - But surely, if I’m a hacker and I break into your company and you’ve got a million peoples data on your computer, I steal it, I’m not going to give a toss about what the EU says I’ll just use that data anyway, but you will get the bill. So isn’t this kind of penalising the guys who are trying to do the right thing, even though there’s some people who don’t want to do the right thing, have actually done the wrong thing?

Richard - Not really. It’s penalising the people who’ve kept your data insecurely in such a way that people can break in and steal it. And the threat of the very large fines means that people are actually going to concentrate on this in an appropriate way.


Comments

Add a comment