By Aigerim Berzinya
So, GDPR is up and running and everyone is compliant, right? Wrong. All online companies and websites working with EU citizens should be, but there are plenty of unresolved issues surrounding GDPR compliance. The number of companies and websites that still don’t understand GDPR is staggering, with many simply choosing to ignore it.
A lot of EU citizens are aware that the GPDR has come into effect and it seems some of us, at least, know our rights. EU regulators saw a massive spike in user-submitted complaints after GPDR. This is excellent news, showing that the regular Joe Soap is aware that she has the power to fight to keep her online data private. Let’s hope that EU regulators investigate all cases and provide appropriate fines – €20 million or 4% of global turnover, whichever is larger. Perhaps with time they will. I want to take a look at some of these cases and some of the convoluted efforts of those trying to circumvent the regulations.
Reddit, is brimming with examples showing how online (and not exclusively online) businesses are trying to make the process of deleting your personal data much harder than it should be. In theory, all you have to do is notify a site and let them know you want your private data, which you shared with them, deleted. They should simply delete it, but things are rarely that simple.
Reddit user – Okeur75 – tried to exercise their rights and remove private data from various websites, a move made possible under the GDPR. Many sites complied, with the procedure being fairly simple. Log in, delete your account, email company notifying them that you want your private data deleted and that’s it. But, there’s always a BUT.
Most companies played ball. Some asked Okeur75 to file a ticket with their support teams, unnecessarily complicating the procedure. Others asked the user to send them a physical postal letter, officially notifying them about their desire to have their private data deleted, completely unnecessary. The worst case included a site asking the user to send them:
Passport cover; passport personal page; selfie with the passport personal page + a handwritten note ‘withdraw consent’ + the current date. And last, but not least: a video of me in which I’m holding my passport on the personal page + the above mentioned handwritten note + me saying ‘I wish to withdraw my consent.'”
This site only had access to Okeur75’s email address. When we look at a case like that of Okeur75 we have to wonder, why would some entity (a company or a website) go through all of this just to make the process of users deleting their private data so complicated? Such steps could be understood if you wanted to delete an account tied to a financial service. Sending a picture along with a passport page so that identification can be clarified is understandable. But, if a company solely has access to your email address and makes the process of deleting it so gratuitously convoluted, you can bet there’s something fishy going on. Be warned.
My second example relates to British Airways. BA went bonkers and asked their users to send them private data in order “to comply with the GPDR,” which is clearly a no-no. They asked users to send data via Twitter and incredibly some did. BA’s social media staff soon realized what they had done and later notified users to send data via direct message, but the damage had been done.
So British Airways is asking for people’s personal data over social media “to comply with GDPR”, and some people are even replying directly in the public feed.
— Mustafa Al-Bassam (@musalbas) July 16, 2018
British Airways had asked for “full name & booking reference,” as well as “2 of the following: passport number & expiry data, the last 4 digits of the payment card, billing address & post code, email address.” Here we are talking about this, it’s no secret, so a GDPR fine better be in the post to BA. Minimum.
This is bad, but it gets worse. The same user who posted the Tweet above, also sent a formal complaint to British Airways because their site leaked private data via cookies. In other words, the company (even though they are a transportation business) leaked private data to advertisers, weeks after GPDR came into effect. This screams maximum penalty plus maximum penalty. It seems British Airways think Brexit is in place and EU rules don’t apply.
I’ve sent the following complaint to British Airways, feel free to do the same if you’re also a British Airways customers: https://t.co/NXMd6AMF4F
They’ll have a month to resolve the situation and comply with privacy regulations before the ICO gets involved. pic.twitter.com/dIztpmgd7A
— Mustafa Al-Bassam (@musalbas) July 19, 2018
My final example relates to DBS Bank in Singapore. Reddit user chivalry5152 posted about their troubles with DBS. After having an application rejected he asked them to delete any private data they had, which is in compliance with GPDR. The bank denied the request informing the user that they didn’t store any form of private info contained in rejected applications on the company’s servers. They did state however that they stored certain data such as registered name, company, and contact details and further explained that the bank’s Singapore database didn’t have to comply with GDPR (the user is a citizen of the UK). It did. They were storing data from a UK citizen meaning a citizen of the EU. In other words, if an entity stores data relating to an EU citizen, it should comply with GPDR no matter the physical location of the server.
Further, chivalry5152 was able to access his application along with all data stored within it, and they didn’t see an opt-out notice (the user even ran UK VPN address) on the bank’s website even though they should offer that for all IP addresses originating in the EU. Another shady practice from a huge company, a bank, that should be investigated by authorities and maximum fine.
The first step has been taken, the rules have been put in place. Anybody dealing with the EU or its citizens must get on board and the GDPR regulators must up their game. True, these rules weren’t made to be broken, but they will be. The fact remains that it is simply impossible for all complaints to be followed up. How many websites are there, how many users? We, the individual, must become responsible and monitor what we sign up to, who we give our information to, but at the same time the maximum penalties must be handed out immediately as a warning to all.
A small food delivery start-up can be forgiven for not complying fully only a few months after regulations have been put in place, British Airways cannot and must not. Banks cannot and must not. If the fines aren’t forthcoming neither will compliance.