Hailed as a model for personal data protection, the GDPR ramps up protection for online privacy for citizens across the European Union.
On Friday, new privacy regulations will come effect across the Eurozone. Companies will now have to comply with tougher privacy rights of their customers and provide them ways to better handle and control their data.
The European Union General Data Protection Regulation (GDPR) which comes into effect from Friday, replaces a patchwork of rules that date back to 1995.
The GDPR heralds an era in which companies found guilty of breaking privacy laws can be fined of up to 4% of their global turnover or $23.48 million (20 million euros), whichever is higher.
Many privacy advocates across the globe have hailed the GDPR as a model for personal data protection and have called on other countries to follow suit.
Critics find the new law being very burdensome while publishers and advertisers say it will make it harder for them to find customers.
The GDPR brings further clarity and strengthens existing individual privacy rights, including the right to have one’s data erased as well as the right to ask a company for a copy of one’s data. It also introduces new mandates, including the right of consumers to restrict companies from using their personal data as well as the right to transfer one’s data from one service provider to another.
“If you compare the GDPR with the data protection directive you can really compare it with a piece of software upgrading from 1.0 to 2.0,” said Patrick Van Eecke, a partner at law firm DLA Piper. “It’s a gradual and not a revolutionary kind of thing … However for many companies it was a huge wakeup call because they never did their homework. They never took the data protection directive seriously.”
Armed with the new law, activists are already planning to leverage the right to access one’s personal data and turn the tables on large internet platforms whose business model relies on processing people’s personal information, such as Facebook.
MNCs will now have to put in place processes for dealing with such requests as well as educate their workforce since any non-compliance could lead to big penalties.
Companies will now have to decide the role that they play
According to experts and lawyers, the GDPR does not clearly state the extent to which the rights of the individuals goes while moving their data from one service provider to another.
“I think the data portability rights are pretty significant and are going to take a while for people to figure out what the bounds of them are and how to go about complying with them,” said David Hoffman, Director of Security Policy and Global Privacy Officer at Intel.
Case in point: Spotify can create a playlist based on an individual’s music preferences. An individual wanting to exercise his right on data portability should be able to move the playlist that he created. However, things get complicated if the playlist was created by the music streaming service provider using algorithms.
Although EU data protection covers user data, it does not cover “derived data” created by the result of an algorithm.
As per Tanguy Van Overstraeten of Linklaters, the data portability right could potentially raise issues of intellectual property.
“It’s not obvious that you can necessarily migrate the data from your system to somebody else’s system,” said Van Overstraeten.
Under GDPR, companies which store or processes user data on behalf of their clients, such as cloud computing service providers, can now potentially face penalties and lawsuits from individuals. Earlier, a company could determine the purposes of data collection thus limiting their liability in case of a breach. GDPR changes that.
“After 20 years of data protection legislation in place, it’s only now with the GDPR they (companies) start to think about ‘what’s my role in the whole story? Am I a data controller or data processor?’” said Van Eecke.
($1 = 0.8519 euros)