The EU is about to enact new privacy legislation called the General Data Protection Regulation (“GDPR”). It will come into force on 25 May 2018. The GDPR has a long reach and it will undoubtedly impact Web+Center users and future Web+Center application designs. Read this article to learn more about the GDPR and to stay informed in the global discussion of data protection and privacy.
General Data Protection Regulation (GDPR)
Welcome to 2018 the year that data protection and privacy regulation comes to rein in some of the former abuses of Internet’s collection, storage and sharing of your personal data without data subject consent.
The General Data Protection Regulation (“GDPR“) is a regulation of the European Union designed to enable individuals better to control their personal data. The GDPR was ratified mid 2016. It will come into force on 25th May 2018.
At Internet Software Sciences we like to keep our users informed about important changes and trends in our Global, Internet connected world. This may be the most important topic for 2018 and, indeed, for a few years to come.
Everyone knows that the Internet and it’s applications, sales, commerce, data has GLOBAL reach and scope. I can (and do) sell and offer Web+Center software to a user in France and other European countries as easily as I can a user in California. Companies and organizations often build their applications and collect personal data (that is, data which identifies or is about a data subject) with little thought to the country of the user or where the processing is actually taking place and the possibility of the applicability of different data privacy rules.
In the EU (where privacy laws are more stringent than those in the US) it has long been established that personal data should be protected. The basic principles of data protection and privacy have, in fact, been in place since the 1970s. The pace of technological advances and the value of the data sharing market has long meant that the European legislative framework needed updating. The GDPR is this update.
You may well wonder why or how this could possibly impact you. As I mentioned above, the reach of the GDPR is wide. It applies both when data processing takes place within the EEA even if the data subjects reside outside the EEA and also even when the processing of data takes place outside the EEA (say, in the US) if it is related to the offering of goods or services to individuals in the EEA or monitoring their behavior.
The first thing to explain is that all European Economic Area (“EEA”) member states are directly party to the GDPR. For this reason, data can be transferred freely between EEA states without the need for businesses and public authorities to satisfy themselves in each case that the relevant national data protection safeguards are sufficient.
The same assumption cannot be made of the data protections safeguards of countries outside the EEA. It is generally accepted that privacy safeguards in the US, for example, lag some way behind Europe. Therefore, for non-EEA countries, the GDPR includes provisions allowing the European Commission to decide that a country’s data protection framework is “adequate”. If an adequacy decision is made then the free flow of data may follow. Without such an adequacy decision having been made, European businesses need to find another way legitimately to transfer data outside the EEA. It will not surprise most readers to hear that the US has not received an adequacy decision.
Luckily, the GDPR provides a framework for alternatives to adequacy but these can be more costly and onerous for businesses and are more limited in their application. However, with the GDPR about to come into force, you may well have already received updated GDPR compliant data processing and / or data transfer terms from any EEA based clients, customers or suppliers.
Therefore, just as customs, traditions, laws vary from country to country, now, how you collect, handle and share anyone’s data on the Internet could be based on the person’s country of origin or your server location or other factors. The level of consent and level of transparency about your database collection and sharing now required from the EU’s GDPR is magnitude levels higher than what most US based companies now offer.
The GDPR is Europe’s attempt to create a single, enforceable standard to protect the freedom and rights of EU citizens.
The GDPR website reads:
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
The European Union approach to many things (food, housing, health care, etc) is generally more consumer friendly rather than corporate friendly USA regulations. Most of us have come to realize that our privacy on the Internet is mostly under the control of the corporate interests that provide the platforms we use for searching, shopping, and social media sites. These platforms of search engines of Google, Gmail, Facebook, Twitter and most E-Commerce sites routinely capture, parse, store and sell (i.e. “process”) our on-line data and experiences to numerous other channels without our explicit consent.
Much of these companies market value is based on that data collection and reselling of that data without our knowledge and consent. What will happen to the value of Google or Facebook when non US users who access their platforms have options to understand their data collection methods and demand what is being stored by these companies?
The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Here are some examples of how the GDPR will impact common practices relating to the collection and processing of personal data:
Consent:
That basic single pre-selected check box with a link to terms and conditions manifesto that allows the company to do anything with your data will no longer be valid. GDPR spells out 5 types of consent:
- Unbundled: Consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
- Active opt-in: Pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (e.g. a binary choice given equal prominence).
- Granular: Give granular options to consent separately for different types of processing wherever appropriate.
- Named: Name your organization and any third parties who will be relying on consent – even precisely defined categories of third-party organizations will not be acceptable under the GDPR.
- Easy to withdraw: Tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
Scope of Users:
As stated above the GDPR applies to any organization doing business in the EU or which processes personal data originating in the EU, be it the data of residents or visitors.
So organizations of any size in any country that process anyone’s personal data—if that data originated in the EU—is subject to the GDPR. So if your website or organization sells or connects with users in the EU, your website and contact/consent forms will be need to be GDPR compliant.
The cost of getting it wrong
The GDPR has given data privacy Regulators in the EU new investigative and corrective powers. If any Regulator receives information or becomes aware of instances of non-compliance, they are likely to take action. If any investigation reveals contravention of the GDPR the Regulator has the power to impose fines of up to EUR 20 million or up to 4% of worldwide annual turnover (whichever is the greatest).
While some Regulators have indicated that the heaviest fines will be reserved for the most serious and flagrant infringements, no business will want to test their flexibility with such huge sums of money at stake.
Web+Center and GDPR:
If you start to read all of the requirements and potential fines and liabilities of GDPR you can quickly begin to wonder where the GDPR responsibility of the company falls when they have purchased Web software (like Web+Center?) to perform some business function that includes collection of “personal data”?- Bear in mind that even just an email address will be considered “personal data” if an actual person can be identified by that email address. Will software vendors create special EU versions of their software that offer substantially more prompts, consent form options and options to view their recorded data, and options to remove it at anytime with requests from the users? Or will they ensure that their software and practices comply with the higher standard regardless of whether the data in question is caught by the GDPR?
Does this impact much of the US tech sector?
In my view the market value of many of the highly valued USA based global tech companies (Google and Facebook, Linked-In, for starters) is based on data collection and reselling of that data without transparency. Those huge tech companies are undoubtedly already putting practices in place to ensure that they are able to demonstrate compliance come May 2018. But I suspect that there are many tech companies without the resources of those giants which are lagging behind in terms of their preparations. What will happen to them when non US users who access their platforms have options to understand their data collection methods and demand what is being stored by these companies?
What happens if US customers wish to get the same privacy and personal data protections that our European counterparts get with this law?
This is, in fact, already possible in certain circumstances. As I said above, the GDPR builds on the current European privacy legislation. It is already possible for data subjects to request access to their personal data and information about how and why it is being processed if that processing takes place within the EEA. This is the case regardless of whether or not the data subject in question is actually an EEA citizen themselves. This is currently being done by a US professor. David Carrol realized that Cambridge Analytica (the controversial data analysis firm that helped Trump with his election campaign) had processed his personal data in the UK. Therefore, he put in a data subject access request and was able to learn what data about him had been processed. You can read more about this story here:
https://www.theguardian.com/technology/2017/oct/01/cambridge-analytica-big-data-facebook-trump-voters
For several years, many US tech business models has been ways to exploit collection of persons internet experiences and reselling them to advertisers. Modern US marketing trends tells business leaders to make your customers your product and sell them to others for profit. A important section in the GDPR is an area of regulation called Privacy by design. At the earliest stages of development of a product with GPDR, you try and find ways to minimize the amount of data you collect and develop ways to “prune” personal data out of your data as quickly and completely as possible. This is completely opposite to USA model of “BIG DATA” approach that our search, email scanners, and social media to capturing and cataloging our interests and habits for later reselling attached to our personal google mail, Facebook and other website ad systems.
Conclusions: Hopefully this will spawn some conversations around the water cooler now that you know what “GDPR” stands for and how you can plan into the future with the changing world of the Internet. If you have more information or comments on this topic, please send them to Internet Software Sciences (sales@inet-sciences.com) so we can include them in additional articles or blog postings.
Related Articles:
Article Authors:
Scott Vanderlip (Internet Software Sciences) and Gemma Chub (GDPR consultant from the UK who is currently seeking her GDPR certification to provide companies with GDPR legal guidance).