Records of processing activities. Data processing agreements. Data processing impact assessments. Privacy notices. Cookie banners. Data subject requests. Data flow mapping…The world of data privacy can be overwhelming, even for those of us who work with it professionally. It is especially frustrating when companies feel that they are losing their competitive edge due to limiting regulations. However, this should not be a reason to lose sight of the real purpose behind the need to strictly regulate this issue.
Why we need data protection regulations in a digitalised world
A recent piece of investigative journalism by the Washington Post provides a clear example of why strong regulations on data privacy, such as the GDPR, are necessary in today’s digital world. The article describes a real-life case in which a non-profit organisation in Colorado (US), called Catholic Laity and Clergy for Renewal, spent millions of dollars between 2018 and 2021 purchasing mobile app tracking data from dating apps used primarily by gay men, including the hugely popular Grindr. It appears that the data were not sold directly by the dating apps, but rather by data brokers who collect information from various sources and sell it for a profit.
Typically, the information sold by data brokers is used to target advertising campaigns based on the individuals’ profiles. In this case, however, Catholic Laity and Clergy for Renewal used the app-based location information of thousands of individuals and cross-referenced it with the addresses of church residences to identify priests who were active on the apps. The organisation then informed bishops and other senior church officials of its findings, apparently with the aim of ‘purifying’ the Church by hindering the careers of allegedly homosexual priests, either by causing their dismissal, resignation, or by preventing them from being promoted.
From a GDPR perspective, this story would be completely unlawful and could result in millions of dollars in fines for all parties involved – the dating apps for failing to implement adequate technical and organisational measures to protect their users, the data brokers for selling sensitive data, and the non-profit for its orchestrating it all. In Colorado, on the other hand, no consequences are expected because there are no laws prohibiting the sale of these data. Everything that happened is deemed acceptable.
While opinions may vary on the group’s justifications and the importance of clergy celibacy, almost everyone can recognize that something is amiss in a world where an app used on your personal phone for intimate affairs can be weaponised against you and result in the loss of your job.
Privacy is a fundamental right
But scandalous cases of sensitive information like the one in Colorado are not necessary to acknowledge the fundamental importance of data protection. Location data, cookies, and other small pieces of information in the wrong hands can lead to identity theft, reputational damage, discrimination, stalking, and exposure to fraud. And even if no tangible consequences are realised, the concept of privacy holds significance on its own. Most of us would feel uneasy if a stranger were to access our phones, read our text messages, and view the photos in our camera roll.
This allows us to see the bigger picture and remember why the GDPR had to be created. When a company is required to map its processing activities, the goal is not to fulfil a bureaucratic obligation but to facilitate the protection of a fundamental right. When a website gives you the option to reject cookies, it is not trying to inundate you with annoying banners but to empower you to exercise control over your privacy.
Data protection is not a bother of legal requirements and paperwork, but a guarantee that, even in a world run by surveillance technology devices, we can still enjoy a private life.