General Data Protection Regulation (GDPR) and Private Search Engines

Search Encrypt/ March 30, 2018/ Privacy

The General Data Protection Regulation (GDPR) is a privacy law passed in 2016 in the European Union. Its purpose is to adding more protection to individuals’ living in the EU. This change also affects any business or organization that collects data from anyone living in the European Union. Companies were given two years to comply with the regulation, that will be enforced starting May 25, 2018.

GDPR says that individuals have the following rights:

The Right to Be Informed

Companies collecting and using personal data must inform people as to how they do so. This information must be openly available to users, and written clearly and plainly. Typically websites, and companies will do this in their terms of use or privacy policy. Most private search engines are already open about their data collection and use. In most cases, it is very limited. You can read Search Encrypt‘s Privacy Policy, here.

The Right of Access

Users can request confirmation from companies about whether their data is being collected. They can also ask for a copy of all of their information that the company has, and the company must provide that information within one month. This will likely force many companies to adopt new practices for storing their user data, and then find a quick easy way to respond to data requests. Fortunately for private search engines (and their users), they have very little, if any information to share in the first place. Some companies may find themselves overwhelmed with information requests after the regulation goes into effect.

The Right to Rectification

Because there is a possibility that the data gathered is incorrect, people can ask to have their information corrected or completed. The data gatherer is then responsible for passing the corrected information to the third-parties they previously shared data with.

The ability to rectify incomplete or incorrect data is important in combating incorrect data profiling. Prior to this law, user data was often out of their control and could lead to losing out on jobs, loan approvals, etc.

The Right to Erase

Users have the right to request that their information is deleted, if there is no longer a reason for it to be stored. This isn’t a complete “right to be forgotten”, but it does provide protection from outdated information staying on the internet.

The Right to Restrict Processing

This right allows users to restrict further use of their data. While the groups storing information can continue to store it, they are no longer permitted to process that data. This is another step towards empowering internet users, and will help make the entire internet better.

The Right To Data Portability

This right allows users to take their data and apply it elsewhere. Data portability allows users to take their data from one source and use it in for other applications as they choose. Without this right, data is stored by companies in a “data silo”, which makes it difficult for users to apply that information elsewhere.

The Right to Object

Users are permitted to opt-out of having their data processed. If data processors don’t have a legitimate and compelling reason to process and individual’s data, users can object for any number of reasons. As a private search engine, we believe that there is rarely a legitimate and compelling reason to process individual’s data. Delivering positive user experiences doesn’t need to come at the expense of privacy.

Rights in Relation to Automated Decision Making and Profiling

Currently, if a company’s data profile has negative impacts for someone, there is little the person can do to change those outcomes. There is very little transparency in automated decision making based on data profiles. Users will be able to request answers as to why they were denied following GDPR. Another outcome could be more human intervention to prevent unwarranted, negative outcomes.

Personal Data vs. Sensitive Personal Data

The GDPR before it explains how the regulation applies to different types of data explains the difference between personal data and sensitive personal data.

Personal data is data which relates to a living individual who can be identified either directly from that data or indirectly from that data and other information which is in the possession of, or is likely to come into the possession of, the data processor.

Sensitive personal data is information including the racial or ethnic origin of the data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, whether he is a member of a trade union, his physical or mental health or condition, his sex life, the commission or alleged commission by him of any offence; or any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

The Biggest Takeaway from GDPR for Individuals

GDPR is empowering users by giving them more rights. With these more rights come more opportunities to combat data profiling and data collection in general. However, people need to actually act on their rights and stand up to the companies using data against them. As the regulation’s enforcement approaches, it’s likely that understanding will grow at the consumer level.

What Companies Should Do With GDPR

Obviously the biggest concern for companies before the May 25 deadline is compliance. If companies fail to meet the requirements, they face fines up to €20 million. Another angle organizations should take advantage of is the chance to build consumer confidence. By updating privacy policies and building user trust, many companies stand to benefit from GDPR’s policy changes.

Read More: The Facebook Data Scandal Won’t Happen to Us

GDPR looks to shift the entire culture around internet data privacy, which should be a benefit in the long run. Without changes in policy the internet would have likely maintained the status quo, which wasn’t beneficial for its users.