Is the protection of our personal data a lost battle?

UK, July 10, 2018.- The data is the new oil of the 21st century. And the personal data of each human being is the object of desire of private companies, public administrations and other interest groups.

The protection of our personal data is endangered, above all, by the technological giants and the social networks we carry on smartphones. That magical device, connected to the Internet, where we carry our whole life and that we can not despise.

Computer security experts say that a Smartphone is only safe when it is turned off. That is, a Smartphone, laptop, tablet or PC will never protect our personal data if they are connected to the Internet.

Probably, the protection of our personal data is a lost battle, for almost 60 years with the birth of the Internet. And since 2004 with the launch of Facebook. Another said Internet user: “If the tool is free your personal data with the product”.

Despite these considerations, there are legal initiatives that try to show us that it is possible to win this battle. The EU’s data protection laws have long been regarded as a gold standard all over the world. Over the last 25 years, technology has transformed our lives in ways nobody could have imagined so a review of the rules was needed.


In 2016, the EU adopted the General Data Protection Regulation (GDPR), one of its greatest achievements in recent years. It replaces the1995 Data Protection Directive which was adopted at a time when the internet was in its infancy.

The GDPR is now recognised as law across the EU. Member States have two years to ensure that it is fully implementable in their countries by May 2018. The timeline below contains key dates and events in the data protection reform process from 1995 to 2018.

The timeline also contains highlights of some of the ways that the GDPR strengthens your right to data protection.

This analysis on the protection of personal data can be critical or catastrophic. For these reasons, I also highlight other information and reflections from prestigious media in the UK: The Guardian, Politico Magazine and BBC NEWS:


How many people know your bank or credit card details? The answer is probably more than you think. Every day, millions of consumers willingly hand over their names, addresses and payment details to order goods or fill out application forms online. In exchange for the provision of these services, we trust that the various organisations we hand them over to will keep them safe and away from prying eyes.

Over the past few years, this trust has been strained, with data breaches increasing in both size and scope, with consequences for individual consumers. Once stolen, personal data is often sold on to third parties, with members of the public only realising that their bank or credit card details may have been compromised weeks, months or even years after they have been taken.

There were rules governing the handling of personal data mandated by the Data Protection Act 1998. However, in the decades that have followed, due to the emergence of new technologies such as AI and social media, regulators and lawmakers have increasingly recognised that new laws are required, not only to bring legislation up to date with technological developments, but to grant consumers greater rights over how their personal data is used.


In recognition of this, two years ago, EU lawmakers passed the General Data Protection Regulation (GDPR), which harmonises data protection law across Europe. The new regulation came into force on 25 May 2018, and enhances consumer rights in relation to access to their data. The UK government has also passed a new Data Protection Act to address certain areas where the GDPR gave discretion to the member states.

“What the new Data Protection Act says is that when organisations process personal data, or procure new software, they have to consider encryption techniques,” explains Chris Pounder, the co-founder of information law training firm Amberhawk. “They have to, by law, integrate security and data protection in their procurement process.”

If a breach does occur that has a high risk of impacting the individuals whose data is involved, GDPR requires it to be reported to a country’s data regulator within 72 hours, and any individuals who are at risk of significant adverse effects to be informed (for example: identity theft, financial loss, limitation to rights, risk to reputation etc). In the most serious cases of non-compliance with the law, regulators now also have the power to issue fines of up to €20m (£17m) or 4% of an organisation’s annual global turnover.


Rules are only as good as the people who use them. And the same goes for Europe’s new privacy rights. Several nonprofit and privacy organizations are already planning a full-court press in terms of data protection complaints against some of the world’s largest tech companies. But that doesn’t mean that you, as a citizen, shouldn’t also take advantage of streamlined enforcement mechanisms that are supposed to make it easy for everyone — even a digital novice — to ask any company what information they hold on you and, if you decide, to pull the plug on such data access.

So what rights are worth focusing on? Under the new rules, anyone can pull their consent from companies collecting and using their data at the drop of a hat. That could be particularly helpful if, say, a large social network or search engine uses your information for something like intrusive targeted digital advertising that you’re not the biggest fan of.

It’s become a cliché to say that all companies are now digital companies. But it’s also true that data collection is no longer limited to the likes of Google and so-called data brokers, or companies that vacuum up people’s information to sell to the highest bidder.

Everyone from global automakers to your local neighborhood restaurant holds some form of information on you, even if that’s just an email address or phone number. And Europe’s new privacy standards are pretty clear on the responsibilities that these firms now have — there are no more excuses. If you collect people’s information, and then something goes wrong, you’re on the hook for potentially eye-watering fines, no matter what your reasons for not complying may be.

“GDPR is real, there’s no grace period,” said Trevor Hughes, president of the International Association of Privacy Professionals, a trade group. “Expect regulators to be activists in policing the new rights.”


So it’s time to get your house in order. For some, that involves the wholesale deletion of customer mailing lists, which, to me, feels like using a hammer to crack a nut. You don’t have to go to such extremes. But a basic audit on what data you hold, how it’s used and who outside of your company also has access to it are the first steps toward compliance, which should have been well underway ahead of the May 25 deadline.


Complaints have been filed against Facebook, Google, Instagram and WhatsApp within hours of the new GDPR data protection law taking effect.

The companies are accused of forcing users to consent to targeted advertising to use the services. Privacy group led by activist Max Schrems said people were not being given a “free choice”. If the complaints are upheld, the websites may be forced to change how they operate, and they could be fined.

The General Data Protection Regulation (GDPR) is a new EU law that changes how personal data can be collected and used. Even companies based outside the EU must follow the new rules if offering their services in the EU. In its four complaints, argues that the named companies are in breach of GDPR because they have adopted a “take it or leave it approach”.

The activist group says customers must agree to having their data collected, shared and used for targeted advertising, or delete their accounts.This, the organisation suggests, falls foul of the new rules because forcing people to accept wide-ranging data collection in exchange for using a service is prohibited under GDPR. 

“The GDPR explicitly allows any data processing that is strictly necessary for the service – but using the data additionally for advertisement or to sell it on needs the users’ free opt-in consent,” said in a statement. “GDPR is very pragmatic on this point: whatever is really necessary for an app is legal without consent, the rest needs a free ‘yes’ or ‘no’ option.”

Privacy advocate Max Schrems said: “Many users do not know yet that this annoying way of pushing people to consent is actually forbidden under GDPR in most cases.”


Another reflection on the Internet in this Blog

What’s the Internet?