Putting EU Citizens in Control of Their Data

Mozilla Fellow Aleksandar Todorović talks privacy and the EU’s General Data Protection Regulation (GDPR)

May 25, 2018 will be a landmark day for the internet.

In about two months’ time, the European Union’s General Data Protection Regulation (GDPR) will go into effect — a sweeping measure that gives citizens more control over their personal data. Drafted over the course of several years and finalized in 2016, the GDPR “focuses on ensuring that users know, understand, and consent to the data collected about them,” WIRED reports. “Under GDPR, pages of fine print won’t suffice.”

The EU’s GDPR will take effect May 25, 2018 | Flickr via Yanni Koutsomitis

The new regulation will replace the union’s current, 20-year-old data protection directive, which was created when just one percent of Europeans were online. And in the northwestern corner of the continent, Aleksandar Todorović— a Mozilla Fellow embedded at Bits of Freedom — is helping build a public-interest tool for the GDPR era.

“The basic idea is to make a web portal that will allow citizens to send requests to internet companies relating to their personal data,” explains Todorović, an information security expert based in Amsterdam. “You can request to see what data companies have about you. You can request to modify that data if it’s incorrect, or you can delete that data, or you can export it.”

The tool, titled My Data Done Right, is slated to launch in June. A progressive mobile app will follow. The tool is built using the code from Access My Info, a similar, open-source project by Citizen Lab in Toronto.

Once the GDPR takes effect, Todorović says its data minimization principle will create a healthier internet ecosystem. “The principle states that data can only be obtained for ‘specified, explicit and legitimate purposes,’” Todorović explains. “By having that statement as a part of the regulation, I believe that companies will ask ‘Do I really need that data point?’ when developing new products or features.”

Todorović says the mood in Europe, on the eve of GDPR implementation, is complicated. “The privacy sector is very excited,” he notes. Meanwhile, developers outside of Europe are scrambling to meet the law’s requirements before May 25. Todorović notes the implementation comes at an auspicious time, when stories like the Facebook-Cambridge Analytica scandal are making global headlines.

In all, Todorović sees the GDPR creating an environment where personal data is more easily controlled by those who create it: “I predict that the end users will exercise their rights a lot more frequently.”

Todorović also says the regulations can have a ripple effect, empowering users beyond Europe’s borders: “I also firmly believe that the features related to GDPR compliance, once implemented, will not be limited to EU citizens.”