2. Protection of Personal Data on the Internet
Data protection refers to the entitlement of every individual to safeguard their privacy and avoid the misuse of their data to the owner’s disadvantage. Every organization and entity that possesses an individual’s data shall make that data available for scrutiny by the owner of said data. Every person should clearly understand the specific data an organization collects and how it manages it. Furthermore, individuals must be able to amend erroneous information and, in rare circumstances, have the option to erase it.
The Personal Data Protection Agency (AZOP) is an autonomous and sovereign governmental entity created by the Personal Data Protection Act in the Republic of Croatia. The Agency’s objective is to enforce Regulation (EU) 2016/67, which safeguards individuals’ data processing (General Data Protection Regulation). It carries out duties within the boundaries and authorities set by the Act on the Implementation of the General Data Protection Regulation (“Official Gazette,” No. 42/18), which guarantees the execution of the General Data Protection Regulation. The primary responsibility of the Agency is to educate stakeholders and the general public about the significance of safeguarding personal data and their associated rights and obligations. Additionally, the Agency is tasked with suggesting initiatives for professional development and training of personal data protection officers and overseeing the execution of all administrative and professional duties outlined in the General Regulation and the Act on Implementing the General Data Protection Regulation.
AZOP is a legally recognized organization with governmental authority that has a defined framework, financial resources, administrative leadership, jurisdiction, responsibilities, and specific activities and functions that it can carry out. Upon the Croatian Parliament’s request, the Agency provides yearly reports analyzing the protection of personal data, data regarding the extent to which citizens’ rights are respected in the collection of personal data, and measures issued by the law, which encompass all procedures.
The Agency’s official website provides explicit information regarding the rights of data subjects, the data they have submitted, and the procedures for managing incorrect or incomplete data. The Personal Data Protection Act stipulates the criteria for collecting and processing personal data. Furthermore, it is ascertained which data is prohibited from being gathered and under what exceptional circumstances it may be collected. The law outlines the authority of the collection manager to designate a processor, specifies their responsibilities, sets the timeframe for the use of specific data, determines the types of data that the controller may or cannot disclose, and establishes the circumstances for transferring personal data overseas. Fines are assessed for contravening the terms of this law.
2.1. Basic Personal Data Concepts
The United Nations Universal Declaration of Human Rights, adopted on December 10, 1948, explicitly states that individuals should not be subjected to arbitrary intervention in their personal life, family, residence, or private correspondence or attacked on their reputation and honors.
Regarding safeguarding personal data, it is essential to note that personal data refers to any information that can be connected to an actual individual and, as a result, can be identified. Personal data can be categorized into three main types: primary, unique, and biometric. Basic personal data often includes information such as the individual’s first and last name, residential address, date of birth, and other relevant details. Particular data encompasses information about an individual’s race, nationality, religion, political party affiliation, participation in different associations, and similar characteristics. Biometric data includes each individual’s physical characteristics and behavioral patterns, which may be used to establish their identity quickly. Personal data includes physical attributes such as fingerprints, DNA, and personal photographs. In behavioral patterns, personal data refers to characteristics such as gait, vocal tone, accent, handwriting, facial expressions, and more.
As stated by AZOP, any organization, enterprise, or government entity handling personal data must provide stakeholders with clear and concise information regarding data utilization.
The purpose for which your data will be used;
The legal basis for processing your data;
The duration for which your data will be stored;
The parties with whom your data will be shared;
Your fundamental data protection rights;
Whether your data will be transferred outside the European Union;
Your right to file a complaint;
How do you withdraw your consent if given?
The contact information of the organization/company responsible for processing your data.
A primary inquiry for this paper was to ascertain the level of familiarity among respondents regarding the concept of personal data and their willingness to disclose their data to a third party to conduct online transactions.
Data is intentionally and willingly acquired when gathering information at an online business. This information is provided by individuals who independently enter it to complete the online order form during registration. Standard information often includes the individual’s first and surname name, street address with house number, zip code, city, country, telephone number, email address, and username.
Customers who have knowingly and willingly shared personal data have the right to request written information from the controller regarding the purpose of the data processing, the specific types of personal data being processed, and the expected duration of storage. Furthermore, the purchaser is entitled to rectify or modify personal information if it is found to be inaccurate, outdated, or incomplete. To accomplish this, it is imperative to notify the controller or customer service of any modifications.
Suppose the controller contains inaccurate information, such as the buyer’s address or phone number. In that case, the customer’s shipment may not be delivered electronically or sent to the erroneous address, harming the customer.
Each customer has the right to have their data erased, also known as the “right to be forgotten.” They can make this request to the controller if any of the following conditions are met:
Personal data is no longer necessary for collecting or processing purposes;
The consent for processing the data has been withdrawn, and there is no other legal basis;
An objection has been made to processing personal data, and the controller has no legitimate reason to continue processing it;
The data has been processed unlawfully;
The data was collected in connection with the offer of information society services;
The controller is obligated by Union or State law to erase personal data to comply with a legal obligation.
The general workflow of an online shop and how the data moves through its subsystems is shown in
Figure 1:
When setting up a user account to make an online purchase, many websites offer the option to write a review for the bought product. When users provide feedback on the product, the website gathers data such as comments, usernames, customer network addresses, information about the Internet browser, operating system, and similar details. As a result of the factors above, there is a potential for finding a link to a webshop when searching for an individual’s full name on an Internet search engine. This link may appear due to misrepresentation of someone else’s name or the deliberate choice of the user not to have their personal information displayed in search results. In such instances, every individual is entitled to reach out to the controller, such as Google, to formally request to remove a hyperlink from search results that includes personal information.
2.2. GDPR
As stated by the AZOP, GDPR is a regulation of the European Union that regulates uniformly the principles of personal data processing, the rights of data subjects, and the obligations of the controller and processor, as well as the organization of the personal data protection system in the procedural and institutional sense. The Regulation is a European regulation in terms of legal force above national laws and replaces the former Personal Data Protection Act in the Republic of Croatia. In addition to the GDPR, the organization and scope of the independent supervisory authority in the Republic of Croatia are governed by the Act on the Implementation of the General Data Protection Regulation (OG 42/2018). Although declared in May 2016, it did not take effect to its full extent until May 2018.
It is essentially a law that aims to protect the privacy and personal data of all citizens of a Member State of the European Union. Two changes are necessary to adapt the GDPR and the right to be forgotten .... RTBF, right to be forgotten). The very purpose of the regulation was to provide all stakeholders with insight and control over the use of their data from a third party. Therefore, the law aims to protect the data of all residents of the European Union. Still, all organizations that contact these same residents by collecting data, doing business, or providing them with services, wherever in the world, must be harmonized.
As stated in the introduction to this paper, the purpose of this paper was to determine whether there is an impact of adopting a stricter regulation of personal data protection on the perception of customers about the increased security of their data and, if any, whether security has encouraged customers to make more frequent purchases. To explore this, in the practical part of the paper, respondents were asked a set of questions that tried to determine how much their general knowledge of GDPR is, how vital Internet security is in general, and what data they are willing to share to purchase the desired product or service via the Internet. Following the answers given in this set of questions, a parallel was drawn between the habits and awareness of customers about safety itself before and after the regulations, and a conclusion was reached as to whether this ultimately resulted in more frequent purchases.
2.3. The Importance of Protecting Personal Data on the Internet
The value of personal data is increasing daily, due in part to its significance in marketing endeavors and because of instances of misuse and unlawful activity. The business outcomes of an advertising service company are directly influenced by the quantity and precision of its data. Prominent examples of this include Google and Facebook, which are industry leaders that have effectively eliminated most competitors in the Internet advertising sector. The influence of the quantity of high-quality personal data on the effectiveness of advertising campaigns surpasses that of traditional advertising channels like television, radio, or newspapers. Safeguarding personal data within information systems has become a paramount social concern and assumes a significant function.
Negligently handling individuals’ data can significantly harm the rightful owners, infringing upon fundamental human rights about privacy. Leaking personal data can lead to several damaging consequences, such as the fraudulent use of the data to enter into detrimental contracts on behalf of others, the unauthorized withdrawal of significant sums of money from bank accounts, and other similar risks. Distinct economic models exist, including the Personal Information Management System (PIMS). Users can handle their personal information through a personal data management system rather than disclosing it to firms that sell it. Users who lack the time or requisite technical expertise can delegate this duty to specialized companies. Initially, it functions to transfer data between companies that engage in similar activities. However, it distinguishes itself because service providers primarily focus on monetizing their clients’ data. In contrast, providers of personal information management services have a contractual obligation to safeguard the confidentiality of the data.
2.4. Collecting Confidential Information Online
The Internet is the most appropriate and widely utilized platform for gathering and examining personal data. Global interconnection substantially enhances communication and enables the utilization of many services, irrespective of the service provider’s geographical location.
Multiple methods exist for organizations and enterprises to gather data, but a few fundamental ones include:
Soliciting data as a prerequisite for delivering a service;
Monitoring behaviors using cookies and comparable mechanisms;
Acquire data from an external or independent source.
The current era is marked by the rise of several online services offered by different providers, including free email, cloud storage, social networks, and similar platforms. Most service providers require sharing personal data, including first and last name, date of birth, gender, and other relevant information, as a prerequisite for using their services. Despite the appearance of being free, the service comes at a significant cost, specifically in the form of personal data. Service providers are a crucial source of profits and income, yet they may appear minor to most end consumers.
Furthermore, several companies, including those beyond the Internet, employ comparable strategies. An exemplary illustration of this phenomenon can be observed in sweepstakes, loyalty programs, and other similar mechanisms that necessitate the provision of substantial personal data in exchange for a specific discount or the chance to win a reward. By examining an individual’s name and surname, it is feasible to scrutinize their behaviors, including their purchasing behavior, such as the items and services they buy, the days they make purchases, the quantities they purchase, and the areas where they make their purchases. The abundance of data provides a remarkable foundation for conducting business analysis, ultimately enabling organizations to increase sales and broaden their presence in the market.
The above approaches yield nearly equivalent results when monitoring habits through cookies and other scripts. However, compared to the quantity of data gathered through earlier methods, the potential here expands significantly. Not only does it leave a trace through the IP address used to access it, which can quickly reveal the user’s current location, but it also creates a database of devices used to access services. This database includes information about the operating systems used by the users, the frequency and duration of their access, and details about the content or items they view. The abundance of data collected provides a more comprehensive understanding of the user than most individuals realize. The process of directly gathering user information is called “first-party” data. Seemingly harmless surveys can serve as a potent means of collecting personal data. While the information provided by respondents may appear innocuous and anonymous at first, when combined with data such as an IP address, it no longer remains anonymous. While the primary objective of “first-party” cookies is to enhance the user experience on a website, they can serve as a helpful analytics tool.
Companies’ most valuable data is collected through “first-party” methods. These methods obtain data at minimal cost, are easy to collect, and comply with regulations since the source and data generator are known.
The data referred to as the “other side” is classified as “first-party” data, which is collected by a different entity. Upon initial examination, the situation appears similar. However, it is essential to note that in this scenario, companies purchasing such data frequently lack insight into the data collection methods and compliance with regulations during the collection process. Additionally, there is a potential risk of data overlap. This is exacerbated by the constant accumulation of extraneous (i.e., trash) data by the same dataset, resulting in the need for significant resources for both analysis and storage. Another essential benefit of utilizing “third-party” data is the ability for organizations to expand their customer base by reaching out to new clients. This capability is not possible with their own “first-party” data.
Understanding the term “Third-party” data is crucial. It’s a collection of information from various sources consolidated into a comprehensive database. This data, essentially a compilation of numerous “first-party” data, is often purchased from an intermediary. Due to their large size, these databases are frequently organized and classified based on many factors and criteria. This allows companies to precisely ascertain the specific sector and type of data they intend to purchase, empowering them with the knowledge to make informed decisions.
The data collection landscape is changing thanks to increasing awareness and the implementation of new legislation like GDPR. Many major corporations now publicly declare they are discontinuing “third-party” data collection, mainly obtained from accompanying or tracking cookies. This shift is a reassuring step towards better data privacy and security.
Aside from the aforementioned lawful means of gathering data to construct customer and user databases, an illicit entity’s objective is to acquire individuals’ personal information for unlawful intentions. Most of these techniques can be classified as social engineering, in which the attacker manipulates the victim by posing as a helpful individual, a reputable organization, or a public institution, among other disguises.
Some prominent techniques of social engineering include:
Phishing refers to the fraudulent practice of attempting to obtain sensitive information, such as usernames, passwords, and credit card details, by disguising oneself as someone else;
Vishing refers to a fraudulent activity in which individuals attempt to deceive others over the phone to obtain sensitive information or money;
Smishing refers to fraudulent activity where scammers use text messages to deceive and manipulate individuals into revealing sensitive information or performing actions detrimental to their security.
Phishing, a form of computer fraud conducted through email, is a sophisticated deception commonly employed on behalf of an organization to deceive individuals into divulging personal information. The name is taken from the English term “fishing,” which metaphorically refers to the act of an attacker (fisherman) luring and capturing a victim (fish). This style of fraud is typically executed with a high level of sophistication, making it challenging to detect as a malicious attempt. It often entails luring users to a fraudulent website that resembles the legitimate organization’s site, frequently through a link in an email. This information should make us all more cautious and vigilant about our online interactions.
This attack has sub-variants, such as smishing, which involves using text messages to carry out a similar attack, and vishing, which requires phone calls. All the attacks above are classified as social engineering, in which the attacker effectively assumes a false identity, typically expressing concern for the victim’s property or data safety. Subsequently, unsuspecting victims willingly disclose sensitive information. These attacks, known as data breaches, pose significant risks to businesses, resulting in substantial financial and reputational losses due to the exposure of sensitive information.
Aside from the techniques mentioned earlier in social engineering, which involve the attacker directly targeting the victim, several indirect ways of data theft exist. These include the creation of counterfeit websites, the unauthorized acquisition of databases, the procurement of stolen personal information through illicit means, and numerous more approaches. Computer programs obtained from untrustworthy sources containing embedded dangerous code, such as malware and spyware, present a significant threat as they are specifically designed to harm the user and illicitly gather data.
2.5. Identity Theft
Identity theft involves illicitly using another individual’s personal information to engage in fraudulent activities, deceit, and impersonation for criminal purposes. The Internet serves as the primary platform for most identity theft cases. Identity theft is fraudulently assuming someone else’s identity, typically to obtain financial or other advantages. Vidas defines identity theft as the act of appropriating someone else’s identity without their awareness or permission. Identity theft occurs when somebody else uses our personal information.
The primary perils associated with identity theft are tangible harm and the ruin of the victim’s reputation. The most prevalent forms of identity theft involve the unauthorized use of individuals’ documents, such as identification cards, credit cards, and passports, as well as personal information, including names, addresses, unique registration numbers, and other pertinent details. The Internet provides an ideal environment for criminal activity due to the combination of carelessness, convenient access to personal data, and the ability for attackers to operate from a remote location. One issue stems from all Internet users being compelled to relinquish their data to different Internet services to access and utilize them. The increasing normalization of sharing personal information has made users less vigilant and more casual, reducing their caution towards the possible risks associated with data theft. Consumer negligence considerably aids data thieves, whether they exploit weak security measures of other parties or create a fraudulent replica of a popular Internet service’s website. Identity theft can occur without the direct theft of personal information, as individuals often unknowingly expose themselves to risk by willingly sharing personal data on social networks.