Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.

This paragraph is the sixth recital of the GDPR. It highlights how the world has changed, and quickly, since the Data Protection Directive and that the European Union is trying to meet the challenge of emerging tech. In this blog post, I will give a more consumer-oriented guide on how to protect your privacy online.

However, if you wish to learn more about the legal interplay between the ePrivacy Directive and the GDPR and how electronic communication is regulated in terms of privacy, I refer you to a previous legal deep-dive, and also to this blog post about data protection and ad tech on the internet.

Determining your goals with protecting your online privacy

One very common thing when dealing with online privacy is the trade-offs between different interests. If you want to increase your privacy, you will probably experience a lack of functions on some websites, decreased speed and even site breakage. It depends on how far you go. I’ve been there, tried out the most extreme versions, and went back again to the way things were due to the trade-offs.

This leads us to risk analysis. Shout-out to the Privacy Guides for their knowledge base for this model. This sort of threat model is not unusual for people dealing with infosec or data protection. If we look beyond the legal nitty-gritty of the GDPR, how should regular folks think of their online privacy picture? The questions you could ask yourself could look something like this:

1. What do you want to protect?
   1. This could be your so-called informational assets and personal data such as email, contact lists, correspondence, location, various files and devices.
2. Who do you want to protect it from?
   1. This could be individuals, organisations, or governments.
3. How likely is it that you will need to protect it?
   1. Think about different risks. Like surveillance, targeted advertising, or just public exposure in general.
4. How bad are the consequences if things don’t turn out the way you’d like?
5. How much trouble are you willing to go through to try to prevent potential consequences?
   1. What are the tools at your disposal to mitigate these risks? What can you implement, considering your resources and limitations?

For a lot of people, this way of thinking could be a bit hard core, but also a worth-while exercise. Think of it as a bit of spring-cleaning. What devices are you using? To whom, and how do you share your personal data? Would you like to increase or decrease your privacy in relation to these factors in some way?

What should you think about when choosing software providers

I recommend that everybody reflects on which software providers they are using when they are connected to and interacting with the online world. I’m thinking about web browsers, email providers, email clients, and various other apps like social media, direct messenger, search engines and so on. Moreover, there are also different settings and configurations to take into account as well with each provider.

When reflecting on your service providers, you can think about these factors:

• Autonomy – does the provider give individuals the possibility to determine the use of their personal data, as well as the scope and conditions of that use or processing?
• Expectation – does the processing align with the reasonable expectations of individuals on how personal data is processed to provide such a service?
• No deception – does the provider give information and options without deceptive or manipulative language or design in their software?
• Truthful – does the provider give information about how they process personal data? They should stay true to the information they gave, and not mislead you.

Let’s use me and how I deal with web browsers as an example. I mainly use Firefox in my private life and Chrome at work. They are developed by companies that I trust with my personal data. I have configured Firefox and Chrome to be more secure and privacy-oriented in the settings by using “enhanced tracking protection” and “enhanced protection” as well as sending out a “do not track” message to the websites I visit. Also, I installed an add-on to give me a wide-spectrum content blocker to block trackers, malware, and other unwanted activities that I don’t consent to, like various cookie placements, or link prefetching and URL filtering. It’s not that I need to protect anything in particular, I just feel like minimising my public exposure and with whom I share my personal information to. To achieve this goal, I use some settings and add-ons to help me, and I’m not willing to go through that much inconvenience to reach my goal.

To sum up, service providers give or should give you the possibility to configure settings to be more privacy-friendly as well as information about how they process personal data. So when choosing a service provider, you should think about the options they give you, what they tell you, and how much you trust them. If they don’t live up to your standards, maybe you should consider going to a competitor of theirs.

Online Best Practices

Moving on from how you should think when choosing providers and software, let’s go through some other best practices related to being online. Think of these tips as easy ways for you to boost your online security and privacy protection!

When using a web browser, please make sure that it always uses HTTPS when connecting to different websites. When utilising HTTPS, you will surf the web with encryption. It will provide you with both privacy enhancing features and security such as protecting against man-in-the-middle attacks, eavesdropping and tampering. If you see a padlock in the address bar, you know that the connection to the website is secure.

As you have heard a thousand times before: use strong passwords, and a common way to do that these days is with password management software. It will generate passwords for you that are unique, strong, and secure. Another thing connected to this is that you should see if your providers support multifactor authentication. It’s a method where you, as the user, when logging in, should be able to provide more than one piece of evidence (something you possess, know, or your biometrics) that you are authorised to log into the account. For example, besides your unique and strong password, you should provide a one-time password or a generated code by an authenticator.

If you have used the same email address and weak password as login credentials everywhere, there is a risk that you have been part of an online data breach. There are a multitude of look-up services where you can see if you have been exposed and part of a breach by simply entering your email address.

Maybe it’s just me, but when I get emails from something I haven’t used in a few years, I usually exercise my right to be forgotten as provided by Article 17 in the GDPR. Simply find the link in the email, log in to your account, or contact their DPO/GDPR function mail and state that you would like to be erased from their systems. More often than not, they will honour your request and delete all of or parts of your personal data.

Lastly, a thing that I recently discovered and started to use is email relay services. It is a service that creates a new, unique email for a specific purpose or website. It works by acting as a proxy and forwards emails to your regular email addresses. Therefore, it is protecting your real email address, and some of these services will even remove some email trackers.

In conclusion, protecting your online privacy is a complex issue that requires a proactive approach. By understanding the trade-offs, assessing your privacy picture, and choosing service providers and software wisely, you can take steps towards better protecting your personal data. Additionally, following the best practices can go a long way in helping you achieve your goals. While there are challenges in protecting your privacy online, I think that there are great benefits in increased control over your personal data. I hope you got some nice takeaways from this piece to help you on your privacy journey.