Companies are collecting your personal data. Here's what to know
We take an in-depth look at what personal data is and how it is collected.
Category
🗞
NewsTranscript
00:00 TikTok, everyone's favorite app, except, well, not governments.
00:04 And why?
00:06 Well, it all comes down to data.
00:08 All those millions of TikTok users
00:10 provide a lot of their personal data.
00:13 And who do you think has access to that data?
00:16 Well, that's what's got lawmakers in the West worried.
00:19 But what about all those other apps and sites
00:22 we give our data to?
00:23 Should we be concerned about where it's all going?
00:26 To answer those questions, we first
00:28 need to take a look at the lifecycle of your data,
00:30 so how it's collected and where it goes after that,
00:33 and how this data collection can be problematic for you
00:36 as a consumer.
00:38 Then we'll explain the laws that the EU brought
00:40 in to combat these problems.
00:42 And finally, we'll help you understand
00:44 the steps you can take to exercise your data protection
00:46 rights.
00:48 OK, so first off, what does the term "personal data" even mean?
00:53 Well, it means things like your name, your age, your email
00:56 address, your home address, even your IP address, which also
01:00 shows your location, even if it's not as precise.
01:03 Some of our personal data can be pretty sensitive,
01:06 things you wouldn't really want public or getting
01:08 into the wrong hands, such as your sexual orientation,
01:12 or health data, or data that reveals your race or ethnicity.
01:17 And how does all this data get collected?
01:19 Personal data are collected in many different ways.
01:23 That's Gianclaudio Malgeri, a co-director
01:26 of the Brussels Privacy Hub.
01:27 For example, when we create a profile on a social media
01:31 platform, or when we create a profile on email service,
01:37 and so on.
01:39 That data collection can be really
01:40 useful and beneficial for us.
01:43 Our data is used for everything from banking to even health
01:46 care.
01:47 For example, the more data we have about our past illnesses
01:50 and the treatments we received, the more
01:52 our doctors can understand about our health now and help us.
01:56 And this sort of data collection has been around for ages.
02:00 What makes things new is how it's now
02:03 being collected online in ways that are difficult to monitor.
02:07 Today, way more of our personal data
02:09 is being stored than ever before.
02:12 And how is that done?
02:14 When we log into a Wi-Fi, the MAC address of our computer
02:20 or of our mobile phone is collected and connected
02:25 to that, the IP address, which reveals our geoposition.
02:30 Cookies are specific technologies
02:34 that are through our browsers on our devices
02:39 and can collect our navigation histories, our web data,
02:44 our engagement data.
02:47 And there's also social media.
02:48 When we put a like on Facebook or on Instagram,
02:51 we're providing data.
02:54 So for example, I could be taking a train from London
02:56 to Paris and browsing my favorite online shop looking
02:59 for a new coat for a while before switching over
03:01 to social media, where I scroll to pass the time.
03:04 What pops up on my feed?
03:06 An ad for a fashion store in Paris selling coats.
03:09 Coincidence?
03:10 Nope.
03:11 The browsing data from my shopping search plus my IP
03:13 address were used to show me an advert for something
03:16 I might be interested in.
03:18 But sometimes the information we're giving away
03:20 is more sensitive than our fashion choices.
03:23 There are some personal data that
03:25 are considered special categories of data
03:27 or, as we generally say, sensitive data.
03:31 These include, for example, data about sexual orientation
03:36 or sexual life, political beliefs,
03:39 religious affiliations, trade union membership,
03:42 genetic data, health records, data related to health,
03:46 health conditions, biometric data
03:48 with the purpose of identifying individuals.
03:51 So for example, our face or our eyes and so on.
03:57 And that sensitive data can be really useful for some.
04:01 Data is the power.
04:03 It's just this instrument which gives you access
04:05 to a lot of other rights.
04:06 That's Romain Robert, program director,
04:08 privacy non-profit NOIP.
04:10 Right to target people, to provide content,
04:13 to censor some content, not to show content
04:15 to some people if you don't want to show them some content,
04:18 to influence their political behavior.
04:21 But it's clear now that we didn't
04:23 do enough to prevent these tools from being used for harm
04:26 as well.
04:27 And that goes for fake news, foreign interference
04:30 in elections and hate speech, as well as
04:32 developers and data privacy.
04:35 We didn't take a broad enough view of our responsibility.
04:38 And that was a big mistake.
04:40 That is Mark Zuckerberg, CEO of Facebook,
04:44 back in 2018 when he was apologizing to the US
04:47 Senate for the social media's role in the Cambridge Analytica
04:50 scandal.
04:50 That was when Facebook facilitated
04:52 the collection of the personal data of thousands of people
04:55 by the British firm, which was then used to influence
04:58 political behavior.
05:00 So yeah, data is powerful.
05:03 The CA scandal focused on the US.
05:06 But it showed the huge threat that the misuse of data
05:08 poses to democracy, and more broadly, human rights.
05:12 Pretty scary stuff, right?
05:14 So the EU decided a change was needed.
05:17 And the first regulation to come in was the GDPR.
05:21 It's a general data protection regulation.
05:25 It's legally binding across the 27 different European states.
05:29 And it also applies to any organization
05:31 that collects data on EU citizens,
05:34 even if it's not based in the EU.
05:36 So the GDPR is one of, if not the toughest,
05:39 privacy and security laws in the world,
05:41 and underlines data protection as a fundamental right.
05:45 Meaning, well, your personal data should be protected
05:48 and it should be used in a fair and legal way,
05:51 meaning it should be collected for a specified purpose
05:53 and with your consent.
05:55 And also, you have the right to access your data
05:57 and to change anything that is wrongly recorded.
06:00 One of the main principles of the GDPR
06:05 is to rebalancing vulnerabilities and power
06:08 imbalance.
06:09 So the GDPR was conceived as a way
06:12 to reduce the adverse effects, or to prevent or mitigate
06:17 the adverse effects of power imbalance between companies
06:20 processing our data, public administration,
06:23 and individuals that might suffer from vulnerabilities.
06:27 Organizations also have to stick to seven principles
06:30 or risk paying a hefty fine, like in 2021,
06:33 when Amazon was fined 746 million euro by the EU.
06:38 Basically, those principles focus
06:40 on making sure any data that's processed
06:42 is done lawfully, accurately, and for an actual purpose,
06:46 because an organization shouldn't be collecting data
06:48 just because they can.
06:51 And even though they already have the toughest data
06:53 laws in the world, the EU decided
06:55 the GDPR didn't go far enough.
06:58 So lawmakers have brought in the Digital Services Act package,
07:02 combining two acts, the Digital Services Act, the DSA,
07:06 and the Digital Market Act, the DMA.
07:09 Without going into too much detail,
07:11 the DSA will protect users by giving us more control
07:14 over what we see online, things like targeted advertising,
07:18 and stop us seeing illegal or harmful content.
07:21 And then the DMA focuses more on boosting the digital economy
07:25 by helping smaller digital companies compete
07:27 against the bigger ones.
07:29 But the question is, even with these new rules added on,
07:32 has the GDPR really made your data that much safer?
07:37 On paper, it's a good law.
07:39 That's Paul-Olivier Dehey, privacy expert
07:41 and CEO of Hestia Labs.
07:43 It's definitely going in the right direction.
07:45 It's being copied around the world.
07:47 But there is a severe, severe problem of enforcement.
07:52 Enforcing the law across the 27 states is difficult.
07:55 The way it works is like this.
07:58 There are 27 National Data Protection Authorities,
08:00 or DPAs, one for each country, which
08:03 act independently from the government to enforce the GDPR.
08:06 All the DPAs work together within the European Data
08:09 Protection Board.
08:11 And at the top, the European Data Protection Supervisor
08:14 manages everything.
08:16 It's super complicated to enforce the GDPR
08:20 in a cross-country case involving more than two
08:26 or three countries, usually.
08:27 So even the Commission recognizes
08:29 that enforcement is an issue.
08:32 So to try to fix these flaws, the EU Commission
08:35 is working on yet more new rules to be
08:37 brought in in summer 2023.
08:40 OK, so you get it.
08:42 It's not perfect.
08:43 But well, it's not all bad either.
08:46 The GDPR is indeed a very good balancing
08:48 between the free flow of information
08:51 and the protection of individuals.
08:53 On the one hand, we have clear principles
08:56 like lawfulness, fairness, transparency, purpose
08:59 limitation, data minimization.
09:01 Then we have clear rights, right to access to all my data,
09:06 right to erase personal data relating to me
09:10 that are being processed by some data controllers
09:13 that maybe I don't want to, right to object,
09:16 right to rectification of personal data.
09:19 There are interesting accountability duties
09:23 that data controllers need to respect.
09:25 For example, impact assessment or recording
09:30 of data processing.
09:32 OK, now let's get back to what you're really here for.
09:35 What can you do to protect or access your data?
09:39 So let's start with your rights.
09:41 As a consumer or data subject, you
09:43 have the right to know why your personal data is being
09:46 processed, where the organization got your data
09:49 from, who it will be shared with,
09:51 and how long it will be stored.
09:54 And also what type of personal data is being processed.
09:58 For example, anything that might relate to health, race,
10:02 or political beliefs, or any other sensitive information.
10:06 And crucially, how to exercise your data protection rights.
10:11 Let's see a real life example of how
10:13 you could exercise those rights we just talked about.
10:17 Well, let's say I ordered that code I was looking out
10:19 on the train, but now I keep on getting pestered
10:22 with emails from the company.
10:24 I want to find out what personal information I provided
10:27 when I made my order, and also ask them to delete that data.
10:31 I should send a written request to the company's data
10:36 protection officer, or if they don't have one,
10:38 just sending to their general contact address is fine too.
10:42 And specify exactly what I'm asking them to do,
10:45 giving them enough information for them to identify my data.
10:48 So in this case, my name, contact info,
10:51 and the item I ordered.
10:52 Oh, and remember, there's no fee for making a data access
10:56 request.
10:57 After I've sent this, the company
10:59 has one month to respond to my request, or up to two
11:02 if the data is complex.
11:04 In this case, the data the company will have on me
11:07 includes my name, email address, my phone number, my home
11:11 address, where they sent the code I ordered,
11:13 and a list of all the other orders I've ever made with
11:15 them.
11:17 And if I'm unhappy with the outcome
11:18 and want to make a complaint, I can then
11:21 contact the National Data Protection Authority
11:23 in my country, who take action and make sure that the company
11:26 sticks to the rules.
11:29 Just remember, it is your right to be
11:31 able to access the personal data that an organization has
11:34 collected about you.
11:36 And knowing your rights is important.
11:38 It's your fundamental right to know what is going to be done
11:41 with the data, because it's a democracy.
11:43 And you want to know what is going
11:44 to be done with your data.
11:45 Information is power.
11:47 If you don't know with whom you share the information,
11:49 you don't know with whom you share the power.
11:52 [MUSIC PLAYING]
11:56 [MUSIC PLAYING]
11:59 (upbeat music)