A lot is happening in the world of internet and data security. In an increasingly digital world where the value of personal data is immense, two cultures are adopting two distinct approaches to its regulation.
In the US, recently adopted law allows Internet Service Providers (ISPs) to sell their users’ browser history, forcing users to search for new ways of protecting their privacy. This move is followed by the FCC’s attempt to rollback net neutrality, which may result in ISPs charging fees for faster access, prioritizing access to content of their partners, and blocking some competitor sites, or just slowing down the connection.
Meanwhile—in stark contrast to the loss of user control in the US—on the other side of the ocean, the EU government has been working on new legislation known as General Data Protection Regulation (GDPR). This reform is going to help EU citizens (data subjects under GDPR terms) to improve control of their personal data. GDPR will also provide a transparent, unified framework for all EU countries and businesses operating within them (data controllers/processors under GDPR terms), outlining their responsibilities for:
- Obtaining user consent
- Data collection, storage, and processing
- Data security and confidentiality, breach prevention processes, etc.
One of the most significant aspects of GDPR is that this regulation applies to all companies that control, process, or store the data of EU citizens—even if the company is located outside of the EU.
GDPR enforcement begins on May 25th, 2018, when the two-year grace period prescribed by the GDPR ends.
What are the rights granted to EU users according to the new regulations in Europe and globally? Let’s take a look.
Before the GDPR
GDPR was preceded by the Data Protection Directive (95/46/EC), adopted in 1995. One of its main flaws was ambiguous jurisdiction. For cases of data transfer to countries outside the EU (third countries), the directive required those countries to provide a sufficient level of protection. There was a separate committee established to provide consultancy regarding the level of data protection in third countries. However, without enforcement, few businesses bothered.
Nevertheless, the committee did aim to help third countries achieve “sufficient protection.” One of the examples of the committee’s efforts is the Safe Harbour Principles—an agreement arranged between the EU and the US between 1998-2000. The Principles were designed to avoid disclosure or loss of customer information. US companies could get certified, if they followed the seven principles outlined in the document. In 2000, compliant US companies were allowed to transfer EU customers’ data to US for processing or storage. But, from the onset, there was a limitation on which US organizations qualified for participation, effectively making The Principles unhelpful.
Within the EU itself, a directive doesn’t induce legal obligation; it outlines the desired outcomes to be achieved by member states. Member states are the ones deciding how to translate a certain directive into their law, so the resulting laws may vary. However, implementing a regulation (like the GDPR) is an obligatory process for all EU member states since it’s a binding legislative act.
These and other reasons created a need for unified, more transparent and modern legislature that keeps up with the changing digital ecosystem. The initial toward GDPR adoption took place in January 2012 with an initial proposal for updated data regulation, initiated by the European Commission.
What Are the Effects of GDPR for Users (Data Subjects)?
GDPR mandates that rights are to be respected by all organizations located in the EU and those that operate in the EU market. The same goes for all companies that process or store personal data of EU citizens.
Under the new regulations, the definition of “personal data” has been expanded to include identifiers such as: location data, online identifiers (IP addresses, possibly browser cookies).
Article 9., Chapter 2 states that “Sensitive personal data” now includes genetic or biometric information that is subject to extra protection by data controllers and data processors.
Chapter 3 of the GDPR contains a list of rights granted to users and enforced by the DPA (Data Protection Authorities). Specifically, Chapter 3, clarifies that data subjects have the right of access to their data, rectification of errors, erasure of data, as well as the right to request restrict processing of their personal data. It is the obligation of data controllers to verify the identity of each data subject and provide the information within one month. It should be presented to the data subject in a transparent manner, free of charge.
Furthermore, GDPR specifically outlines the set of information that users must be provided with, whether the information has been collected from them directly, by a data controller, or through a third-party data controller. All information sets, among other details, must include:
- The purpose and legal grounds for data processing
- The categories of personal data collected
- Recipients of collected data
- The period during which collected data may be stored or intelligible criteria to determine the period
Overview of Rights of the Data Subjects
The leading principle of the GDPR is right of access, which implies that the data subject has the right to know the details of their data status at any point and exercise control over that data.
Additionally, users must be notified of other rights to:
- Data analysis restriction. Data subjects may exercise their right to request restriction or object to data processing outright.
- Deletion and Rectification. Subjects may request data erasure or rectification or—as with the data processor companies—restriction of data processing.
- Refusal of automated processing and profiling in case it has a significant effect on data subject.
- Complaints. Subjects are allowed to complain about violations to Data Protection Authorities.
Right to Erasure
Based on data subject’s request, a controller may be obliged to remove a subject’s personal data for one the following reasons:
- Unlawful collection of personal data
- Unnecessary data for the original purpose it was collected for and no new purpose exists
- Data subject opts out of their initial consent for personal data collection or processing
- Exercise of right to object to data collection and there are now legal reasons superseding this objection
It is important to note that even in cases where data has been processed by a third party, data controllers remain responsible for the data removal.
Right to Restriction of Data Processing
Data subjects may use this right to defend themselves in the following cases:
- Unlawful data processing
- Inaccurate data
- Unnecessary data for the original purpose but is required by the controller for
- legal reasons
Right to Rectification ensures that each data subject may request removal of inaccurate data or supplement incomplete data by providing a statement to the controller.
Right to Data Portability allows each data subject to receive their personal information obtained by data controllers in a clear, concise, and machine-readable format. This data may be transferred between data controllers either by data subjects themselves or transmitted between them upon request. This service should come free of charge.
Right to Object Processing
Data subjects may use this right to prevent processing of their data in the following situations:
Data is used for direct marketing purposes and profiling
Lack of demonstrated sufficient legal grounds on the part of the data controller that supersede the interests of data subject.
How GDPR Impacts Businesses?
Obviously, the EU is committed to putting some order into the way their citizens’ data is treated, meaning that companies who want to work in the EU market are now facing a complicated task that calls for dramatic changes. A poll by SAS indicates that 48 percent of UK adults are planning to use the rights granted by GDPR, and 15 percent of them will do so in the very first month. Data controllers better be prepared, because penalties imposed by the EU for breaches or violations are harsh.
Serious offenses will cost an organization 20 million Euro or 4 percent of annual global turnover in fines (whichever is greater).
Lesser misconduct will result in a 10 million Euro or 2 percent annual global turnover in fines (whichever is greater.)
And that’s just about the fines. Qualifying as GDPR-compliant requires companies to implement new standards, procedures, and even new positions.
GDPR is Not Just About the EU
This change is not going to be limited to Europe. It’s going to be global since GDPR will affect all companies with access to data from digital subjects of the EU—even from locations outside the EU.
If this seems like a huge cost to businesses around the world. It’s not all bad.
In a press release by the European Commission the following benefits for businesses are mentioned:
One law for the whole EU which should cut legal expenses for data controllers.
One-stop-shop—there will now be a single authority regulating and controlling the implementation of GDPR.
Equal conditions—EU companies have been far more regulated in terms of data than companies outside of EU which created a sort of “unfair advantage.” Now all players in the EU market are going to compete and operate on the same level. This creates more opportunity for smaller companies and startups that may attract customers due to data portability right, allowing users to transfer their personal data between controllers.
Furthermore, some of the up-front costs will pay off down the line, for digital subjects and controllers. For example, GDPR is striving for “data protection by design and by default” which means that privacy and security will become one of the pillars of product design. Yes, requirements of this sort will demand more investment from controllers, but it will also provoke more innovation in technologies including encryption, data anonymization or pseudonymization. They may provide means for obtaining insight from data analysis with an emphasis on customers safety. More companies will consider using in-house or self-hosted solutions instead of third-party data processors to eliminate the risks and stay in control.
To ease businesses into the change, a two-year grace period has allowed businesses to adjust and reach compliance. During the preparation for GDPR, businesses have had the opportunity to implement required security frameworks around reliable processes with minimal chances of errors and effective prevention measures—something that has been clearly missing as we learn from the stories of major data breaches. These dependable processes include:
- Data storage and transmission auditing
- Adequate logging of activities
- Authentication and access-level control
- Compliance and staff training
- Breach reporting to data protection authorities
Some of larger companies, or those processing sensitive data, will need to appoint data protection officers responsible for a company’s compliance with protection policies and legislation, and—yes—some costs will increase. However, public safety and satisfaction are increasingly balled up with our digital lives and GDPR goes a long way to recognizing and prioritizing this shift.