A few weeks back, I stepped foot in a Sephora store with a friend for about 30 minutes and despite having zero interest in makeup. I have been bombarded by Sephora ads ever since. Every day, corporations track our data, whether it’s our internet search history, the apps that we use, or (as in my case) our location. It’s time to turn the tables around and do some tracking ourselves – what exactly are the data privacy laws that govern us and decide where all of our data is sent?
Currently, the EU’s law for data protection and privacy is the General Data Protection Regulation (GDPR). All EU citizens are protected by this regulation in that an individual’s personal data is owned by the individual themselves and that in order for their data to be used by a business, the individual must first provide informed consent. This is contrasted by the United States’ federal laws pertaining to data privacy which, frankly, do not exist in any comprehensive form (Kulik, 2020).
What does this mean for the UK? Technically, after the UK leaves the EU in January 2021, it no longer has to abide by the GDPR. That being said, the EU’s GDPR has an extraterritorial effect and applies to any and all companies that do business in the EU and has EU citizens as customers. Unless UK companies are willing to sever economic ties with the rest of Europe, it seems that the GDPR is here to stay.
Alas, akin to an Anthony Sullivan OxiClean commercial, I’m obligated to say, “but that’s not all.” From August 2016 to July 2020, the EU-US Privacy Shield Framework was the “legal mechanism for companies to transfer personal data from the EU to the United States” (FTC, 2016). In theory, businesses could manage customer data using the principles laid out in this framework and satisfy EU privacy regulations. However, after the GDPR took effect in May 2018, the Court of Justice of the European Union (CJEU) revisited the EU-US Privacy Shield and decided on 16 July of this year that it “did not offer adequate protection for EU data when it was shipped overseas because U.S. surveillance law were too intrusive” (Manancourt 2020).
What all of this means is that the UK will still have to follow GDPR; however, it will have to scramble to negotiate a new Privacy Shield with both the US and the EU in order to have a framework for its businesses to follow so that they can satisfy data privacy regulations. In the meantime, the UK will have to rely on more vigorous standard contractual clauses (SCCs) for international trade which have been deemed legal by the CJEU.
Considering that the Sephora store that I visited was in the United States and that Sephora US has been banned from shipping to the UK due to GDPR violations, let’s hope the UK is able to develop strong guidelines to protect other customers from getting unsolicited makeup ads.