Data protection is mainly our decision (Peter’s story)

Jan 28, 2021

Pavol Szabó from the Slovakian EFDPO member Spolok pre ochranu osobných údajov illustrates the importance of individual responsibility for the success of data protection based on the story of a fictitious private person. A plea for information and awareness of the general public to celebrate Data Protection Day 2021.

Negativistic, deterrent, or glorifying articles on GDPR and personal data protection have flooded the Internet, culminating in a memorable date on 25 May 2018, and this trend continues to this date. Perhaps only an invisible minority wonders where the GDPR ends and where the individual responsibility of all of us, who transfer our identities into the electronic online world, begins.

Many of the fundamentals and principles of security and privacy and personal data were applied (whether through law or non-legally binding standards) long before the GDPR entered into force. The EU regulation was a scarecrow particularly for small and medium-sized enterprises, whose taximeters of unplanned budgets were overloaded, and they have found salvation in documentation templates obtained at the cost of a more expensive lunch in a restaurant. An average consumer and Internet user in turn has discovered the possibility of “payback” against an entrepreneur who has not delivered a service or goods according to his ideas. However, both approaches are incorrect and erroneous.

GDPR is primarily about the proper overview of an entrepreneur over the flow of personal data that he is processing and about the (transparent) control of natural persons over their personal data and their own privacy. However, this will not help if you do not have control over yourself. We may discuss businesses next time, let´s get to the Peter’s story now.

Peter’s story

Peter – the data subject, with unrivalled readiness after discovering the GDPR, drafted a complaint to the Data Protection Authority because he had become an addressee of an unwanted newsletter, unaware of the fact that he had been receiving the newsletter to his email box for several years and subscribed for the newsletter himself years ago. In his complaint, Peter in all seriousness referred to the GDPR, to his alleged new rights, and argued that no one had asked him for his consent. In his submission, he resolutely added that sending newsletters is annoying and intrusive for his privacy. Peter thus felt a serious violation of his rights and freedoms (among other things, the annoying email took up 37 kilobytes of his email cloud). Whether the email service provider uses secure servers and where these servers storing Peter’s private and business communications are located somewhere in the world, is irrelevant to Peter.

Having finalized and sent the complaint, Peter is opening his social networks with a feeling of satisfaction and immediately posts information about his act in his status in order to inspire others as well. Since Peter has also spent a great day with his family at the city market, he is posting dozens of photos of himself, his wife, his children and, of course, dozens of other people who flickered in the camera lens on the social network. The photos are really of high quality and capturing the right moment, so in order to get the proper attention, he decides that sharing will be set not only with his friends, but also with his friends’ friends, which has increased the reach exponentially. By browsing the social network, Peter does not even realize that the social network profiles and automatically evaluates his every click and movement on the social network and even on all the websites he visits while logged in. He is often just (unexpectedly) surprised at how targeted advertising offers him products and services that he viewed on e-shops or discussed in forums just a few seconds ago.

Peter enjoys relaxing with online and mobile games, ideally if offered for free. Peter will do everything to get them free of charge, he will agree to any terms and give consents to personal data processing. Peter does not realize that the companies developing and running the applications do not do philanthropy for living and monetize the valuable data they collect about Peter and tens of thousands of other people by providing them to their business partners, based (mainly) on voluntary consent given by the users. Peter even did not bother to read (even specifically separated from the rest of the text) the conditions of the consent given to his personal data processing  and did not notice the clear sentence that he was not obliged to give much of such consent in order to enjoy the application sufficiently.

The only “cost” is a handful of consents to the processing of personal data and terms

Peter has been a huge fan of smart homes and appliances for many years. He is able to control the home lighting, heating, coffee maker, washing machine, refrigerator, robot vacuum cleaner and other devices remotely from his mobile phone outside his home , while all data is stored in the external cloud of several companies that operate particular devices. Peter has found an even easier way and identified that at many of these providers he does not need to log in through all his individual accounts to control individual devices, he only needs to use his single social network account, which interconnects them all. The only “cost” was a minute of his time and the acceptance of a handful of consent to personal data processing and business terms, so that the social network is authorised to access all the data from the Peter’s smart devices. Peter’s bliss came when he found out that the social network had offered him another software product that would centrally collect and evaluate all the data (for free of course) and it will be able to show him practically his whole life in numbers, tables and graphs. How much electricity the device consumes per month, how many hours he spends relaxing etc. The data collected from the smart pot, cup, coffee maker, watch, pressure gauge and thermometer will evaluate his healthy eating and living. Subsequently, the application will offer Peter a tailor-made training and nutrition plan and when he should go to bed, while also offering him ideal destinations where he should go on vacation including other benefits, naturally with the respective price offers.

As Peter managed to achieve better results in the applications only after a month, he shared all the data on a social network and he connected with dozens of other (even unknown) people through his social network account, who share their numbers, tables and lifestyle charts, including the GPS position by switching on the active mode of the smart watch, so that they know about each other, if they happen to perform sports close to each other, so they are able to do sports together, or at least take a selfie for all the numerous members of the fan groups created on social networks.

After a very busy day, sitting with his favourite herbal vegan tea, Peter, opens public discussion forums on his laptop, connected to his neighbour’s unsecured WIFI, to learn something new and, if necessary, to contribute with his original opinions. At health forums, he complains about his diagnoses, his illnesses as well as about the illnesses of his whole family, of course discreetly only under his pseudonym. Under the same pseudonym, however, he also contributes to other forums where he also shares other sensitive personal information, however, at one of them he has mentioned also his name and surname, including his residence address, since the forum deals with affairs in his city. Even a primary school freshman is able to google out a lot about Peter, from everything he has posted and uploaded on the Internet and from the public registers, download many photos of Peter and his family which Peter has already shared, also information on which real estate he owns, what and with whom he runs business, and even whether he runs business successfully or whether he is a regular payer of levies and other personal information.

This article is not telling you “Don’t be like Peter”

Of course, this story and some of its technical aspects are fictitious, however it is based on practical experience. How many of you have at least partially found yourself in this story? I partially did. It is also very comfortable for me to have everything in a cloud and access the data from any place, or to light up my whole apartment by just a single voice command. Thus, this article is not telling you, “Don’t be like Peter” but it should make you think about the extent to which your data is beyond your reasonable control or overview.

Now try to imagine Peter’s online life in a tangible world. Would you be able to set up a public notice board in the city centre to pin hard copy photos of yourself from various events, including the photos of your whole family from private events? Would you also publish a description of your health problems on this notice board? Do not forget to pin several copies of photos and documents relating to you and your family so that passers-by can take them and spread them among others. This idea may seem to you absurd, but the same thing happens in the digital world, with an incomparably larger number of people accessing your data online, which you voluntarily share publicly. Professional software developers compete in who comes up with a more sophisticated algorithm that connects and evaluates everything freely available on the Internet so that comprehensive and valuable information can be acquired about anything, more frequently about anyone. Those who really need to misuse the information will certainly not ask for your consent and will not send you an information email stating that they have added their privacy policy and that you can find all the information on your personal data processing on their website with the possibility to exercise the right of access.

The GDPR gives you control over your data – but you are the one who has to take it

The GDPR is based (not only) on transparency, confidentiality, as well as on the principle that the controller shall process your data exclusively to the extent necessary for the specific purpose, for the necessary period and on the relevant legal basis. The essential purpose is thus not that you should leave the digital environment completely or delete your whole online identity, the essence of privacy regulation is to receive a proper overview of where your data is located, what purpose companies use it for and to whom they provide the access. Consequently, the point is to offer you the relevant control over your data in the world of data 3.0. and on the “Internet of Things”, but first and foremost, you must have control over yourself.

The protection of privacy and personal data must be rooted primarily in all of us, because no law or force majeure will protect irresponsible users. How we want our privacy to be protected is primarily up to us and is based on our decisions. Many of you have certainly experienced the feeling that your grandmother remembers nearly every highlight of your childhood. And remember the uncomfortable feeling when she mentions such highlights to your new girlfriend or boyfriend? As for the memory and especially as for the data retention period, the Internet and Google will outperform your grandmother many times. In your defence you might say that your data is worthless or that you have nothing to hide. However, then you can say that you do not care about freedom of speech, because currently you have nothing to say. However, your parents or grandparents could talk for hours about what it was like to be afraid to say or write anything you want and publicly. The GDPR represents only the means; the extent of our privacy is mostly decided by us.

About the EFDPO:

The European Federation of Data Protection Officers (EFDPO) is a European network of national associations of data protection and privacy officers. Our mission to create a strong political voice for our profession in Brussels. Currently, the EFDPO has 9 effective member associations and two associated mambers and welcomes the application of further members. Click here for more information.

Recent news

EFDPO Conference. 28 & 29 May 2024, Berlin

EFDPO Conference. 28 & 29 May 2024, Berlin

One of EFDPO’s goals is to create a European network of national associations for the exchange of information, experience and methods, and to improve the quality of training and professional practice.

read more
Position paper on GDPR Evaluation 2024

Position paper on GDPR Evaluation 2024

This paper highlights how, from the perspective of data protection practitioners, the business sector –
particularly small and medium-sized enterprises (SMEs) – can be better supported in meeting data
protection requirements within the context of increasing digitization.

read more