GDPR in Europe: Citizens with Super Power and Companies with Restrictions

Share this article

A few weeks ago, a leaked internal video from Google titled “The Selfish Ledger” appeared online, the video is but a thought experiment on one of the numerous projects that are brainstormed at Google’s X, formerly known as Google X. The X, is a lab that focuses on projects that aren’t ready for use just yet, and others that may never see the light of day. Some famous X projects include Waymo self-driving car, the infamous Google Glass AR glasses, and Project Loon - Google’s take on providing affordable internet access to underdeveloped countries.

The aforementioned Selfish Ledger video describes a future in which every Google products user will have their own virtual ledger that will include every bit of data gathered relating to that user. Everything we do - typing emails, tracking steps, ordering food online, saving photos - is tracked and gathered and saved in this ledger. The ledger in turn can use this information to steer our behavior in certain directions. At the start, the user is the one who decides which goal they want to achieve, like losing weight. The ledger will then guide the user and help them achieve their goal by advising them to walk rather than call a cab or by showing them healthy food choices and so on.

In the future, the ledgers could start gathering missing data on their own and scenarios like ordering a custom printed scale in case it doesn’t have info on its user’s weight may not be too off the mark. The design of this scale will be based on the user’s design preferences calculated by data the ledger has gathered. Ultimately the Ledger can be used and manipulated in the same way that genes are, passing information down to new users and using the previous users data to drive the behavior of new generations. Creepy, isn’t it?

While the video has lots of problems, one of them being the fact that some of Google’s patents already include ideas from the Selfish Ledger video even though Google claims that those ideas aren’t used in current products, the biggest problem is that the word privacy is nowhere to be found. The Selfish Ledger lasts for almost nine whole minutes and the word privacy isn’t mentioned, not even once. This is highly disturbing. It seems Google thinks we are willing to completely sacrifice our privacy and without thought allow our behavior to be sequenced and controlled. The second problem is the multigenerational nature of the Selfish Ledger, meaning our data is to be used even after we stop using Google services, even after we stop using Android and switch to iOS, even after we die.

The Selfish Ledger video is a perfect example of all the problems tied to online privacy. Many of us do ask is there a way for us to be protected by our governments, or do we live in a world where private companies have finally become more powerful than countries? Well, as long as you are living in the EU, you can rest assured that there is a law, a policy, a regulation that will keep your data and your privacy secure and anonymous. Its name is GDPR (General Data Protection Regulation) and it came into effect on May 25th, 2018. Let’s see what it does, how it affects companies, and how you can use it to your benefit.

GDPR basics explained

You may have received emails from different services you use telling you they are changing and updating their Privacy Policies. All of these updates are forced. These companies had to update their policies or else block each and every user that is an EU citizen. And better still, the IP address of a user isn’t the deciding factor. Instead, a user’s citizenship is what matters meaning that companies cannot simply gather all users with EU IP addresses and change how they handle their data while continuing to treat everyone else’s data as before. This is the most important detail about GDPR, and every company, no matter how big or small must comply with the act. The only way to ignore GDPR rules is to block all users from the EU, a step taken by the Los Angeles Times and Chicago Tribune, let’s see how that turns out.

Data privacy is essential
Data privacy is essential

The GDPR is designed primarily to protect EU citizens and their online data, while also keeping their privacy secure. The good thing is that, although the act is valid only for EU companies these companies will change their policies for all of their users, no matter where they reside. The act is here to keep private data secure and to prevent future data breaches. If a company follows GDPR rules, hackers would have to steal all data along with decryption keys (all private information must be kept encrypted) in order to get the information necessary to lead to specific people.

The basics of GDPR are to keep user data secure, encrypted, and anonymous. User data cannot lead to a specific user (this is called pseudonymization), and even when a company decides to delete data they must encrypt it and delete the encryption key before deleting the data. The GPDR sees data as personal if it is “private, professional or public,” this includes names, addresses, emails, IP addresses, medical information and social network posts. This also includes any content made by a person living in the EU like articles, photographs, and much more. This means that companies must make sure that all these types of data are encrypted and anonymous and that they are in compliance with pseudonymization. For instance, if a company keeps your name, address and social posts they must separate this information before encryption because someone could decrypt this data and use it to find you.

When data is transferred from the EU to third world countries, for example if a company moves their server farm, all data is moved along with its protection. In other words, companies can’t just move private data outside of the EU and do with it as they see fit; they have to keep it encrypted, anonymous, and follow the rules of pseudonymization. Any illegal use of private data (like that of the recent Cambridge Analytica scandal), is strictly forbidden and responsible companies will be harshly penalized. GDPR also includes an EU-US Privacy Shield that keeps the US government from accessing EU citizens’ data and obliges US-based companies to include every form of data protection included in GDPR rules. It is hoped that an annual meeting between the EU and the US will ensure that GDPR regulations are correctly applied.

Furthermore, the EU commission acknowledges that other countries  provide adequate private data protection and the commission will allow them to receive private data from the EU without having to include further safeguard measures (they still need to encrypt data and make it anonymous though): Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US. Japan and South Korea should soon be added to this list.

Now that we have covered the basics let us show you how EU citizens can use GDPR and its rules in their favor.

GDPR gives regular citizens lots of power

While GDPR does a lot to keep the private data of every person on this planet private, secure, and anonymous, it provides extra benefits for citizens of the EU (plus those who have citizenship of Iceland, Lichtenstein, and Norway). These benefits are very powerful and can be used in many ways. The most important one is keeping your online privacy intact. This is especially important in the age of social networks and Google, which collect every single bit of data from every single user of their services.

Every bit of data you give to companies must be collected with clear consent. For instance, if you are giving your email address to certain companies in order to subscribe for its newsletter they have to specifically place checkmarks for users that users have to check in order to give their consent. A company cannot ask for your data and inform you in small letters below that by clicking on “submit” you are automatically in agreement with their Terms and Conditions Policy. Companies must ask whether a user agrees to be sent promotions and news etc. At the moment a company can automatically start sending you automated emails and you must open an email and click on the link that leads to a page where you can stop these emails from being sent, putting users in danger of being hacked and their data being stolen. If a company starts sending you promotions and other privacy (and inbox) invading emails without you providing a clear consent and you happen to be a citizen of an EU country, you can simply contact DPAs (data protection authorities) by visiting this page.

Data Protection Authorities
Data Protection Authorities

Once GPDR comes into effect every EU citizen can demand from a company keeping their data that the data be deleted. They can also ask for access to this data, so that they can see what information a company has on them. If a company refuses to do so, simply contact DPAs. This is a very powerful tool for individuals. Now, once you leave Facebook you can demand that the company delete all of your private data including posts, messages from Messenger, pictures you’re tagged in and more. Basically, you can delete your Facebook page the moment after you decide to leave the social network. Another important thing to remember is that companies have to delete data when the purpose for its collection is no longer relevant. This makes the horrific idea behind the Selfish Ledger impossible to come into fruition because once you stop using a service, you won’t be able to see targeted ads, or, in case of Google’s Selfish Ledger, your behavior won’t have to be steered thus ending the purpose of data collection.

As you can see the GDPR puts lots of power into regular people’s hands, and if you are a citizen of the EU you should use that power to its fullest. While citizens are getting lots of power, companies will get lots of responsibility.

What GDPR means for companies

Companies, no matter how big or small, must comply with GDPR if they collect user data online. Lots of rules must be obeyed but some are more important than others.

Companies must comply with GDPR if they collect user data online
Companies must comply with GDPR if they collect user data online

Firstly, companies have to get clear and informed consent from users when they are collecting their data. Secondly, companies cannot collect data they don’t have consent for. This means that, if a certain user gives a company their friend’s email address during a referral promotion the company cannot send any marketing material to that email address and it also cannot keep the email on its servers. They can, on the other hand, send an automated notification email to said friend’s address (deleting it the moment after the email is sent).

Thirdly, companies have to prove why they need the data they want to collect. This means that Facebook, for example, has to prove why the company needs every bit of user data they collect. If they cannot provide a valid explanation, the company cannot collect that type of data. If they refuse they will be prosecuted.

Companies also have to be sure that the third-party services they use – such as online questionnaire providers, servers and hosting providers – that have access to private user data are in compliance with GDPR. Also, larger companies have to hire additional employees that will deal with data protection – data protection officers and be prepared for an audit by EU investigators. They will inspect random companies on a regular basis to check if they comply with the GPDR. If a company suffers a data breach they must immediately notify every user of their services along with authorities. No more will companies wait for months, even years, before they go public with information relating to data breaches they have suffered.

And finally, companies must protect backup data, they have to automatically protect new data and they have to be ready to delete all of their email lists unless they have proof that users provided clear and informed consent to be included in the list. Fines can go as high as €20,000,000 or up to 4% of the annual worldwide turnover of the preceding financial year. The EU has already started to fine certain companies, although fines are much lower, at least for now.


The EU is trying to make companies respect the private data of their users, to have all private data encrypted, and to ensure that they use only data given with clear consent. At the moment, we don’t know how the EU will ensure companies comply with the GPDR but there’s a chance that some giant internet corporation will try to bypass the act, so we will probably see just how GDPR will be enforced pretty soon.

Till then, it looks like the GPDR will finally put an end to the misuse of private data, providing regular people with the power to stay anonymous. Of course, we are sure companies will find a way to separate EU citizens’ data from the rest, meaning that, while EU citizens are to enjoy security, anonymity, and privacy along with the right for their private data to be deleted, others will still have to rely on companies and their will to protect the private data they are collecting, which isn’t much of a comfort. We only hope that other countries will follow the EU and will also come up with similar acts that will keep all of our data private, encrypted and anonymous.

Aigerim is using Turtler in her own hiking and outdoors adventures and proud to be promoting it worldwide as our Marketing Director extraordinaire.

Aigerim is using Turtler in her own hiking and outdoors adventures and proud to be promoting it worldwide as our Marketing Director extraordinaire.