How EU's Data Privacy Law Will Impact You


(Image: Maksim Kabakou/Shutterstock)

(Image: Maksim Kabakou/Shutterstock)

Although the Edward Snowden revelations of a US government surveillance program on citizens caused much consternation in the US they raised just as much ire in the European Union. That desire to see user data protected and not left at the whims of US corporations and intelligence agencies, is what's helped drive the implementation of the European Union's General Data Protection Regulation, a new piece regulation that could have far reaching consequences within the EU and beyond.

Designed to replace an aging data protection initiative implemented in 1995, the GDPR will not require individual state legislation, offering a single set of rules for all EU member states. The goal of the regulation is to give citizens back control over their data. In practice, this means forcing organizations to require more obvious opt-in methods of user data collection, as well as records of them giving that consent and easier to access ways to withdraw it.

That's vastly different from the near carte blanche access sites and companies have to users' data currently, and it could really shake up how companies operate within the EU.

In the long term this should mean that citizens of the EU have much greater control over their personal and professional information online and that their data should be more protected from breaches. In the short term though, this means that a lot of businesses are going to need to change the way they handle customer data and implement much greater safeguards for its capture and storage.

That's because this data protection law is actually going to have some teeth.

The GDPR introduces many changes to current data law, but the one that's stood out for a lot of people is the section on penalties. Sanctions begin with written warnings for "first and non-intentional non-compliance of regulations," but from there they stiffen very quickly.

Companies found deliberately not-informing customers of data collection, or found to be repeatedly mishandling it in any fashion, can be fined up to 20 million euros, or 4% of annual worldwide turnover or revenue, whichever is greater.

In the case of a company like Apple, for example, the maximum possible fine would be close to $10 billion. That's the kind of figure even an entity like Apple would feel.

In cases where smaller infringements are noted, the fines will be 10 million euros, or up to 2% of annual turnover or revenue, but even that is rather hefty. 

Fortunately for the many thousands of companies this regulation will impact, they do have some time to get their affairs in order. Although it has been adopted, the GDPR won't officially come into force until May 25, 2018.

That timeline does allow for some adjustment period for companies which operate within the EU, but it does raise some interesting questions about the UK's plans to leave the Union. It is unlikely to have completed its 'Brexit' by the time this regulation comes into play, and as a regulation, the GDPR does not require member state legislation to be applicable. That means companies will need to comply with GDPR within the UK just as elsewhere in the EU. That compliance requirement may change when Brexit is completed, but for the time being, it still must be followed.

This raises further questions about the UK's Investigatory Powers Bill, which the GDPR could effectively make illegal, and without such digital oversight, the UK's position within its Five Eyes spying network with other English speaking nations, could well change too.

Only time will tell, but it seems as if the tide may be turning against the idea of mass, digital data collection without oversight.

Jon Martindale, Technology Journalist

Jon Martindale is a technology journalist and hardware reviewer, having been covering new developments in the field for most of his professional career. In that time he's tested the latest and greatest releases from the big hardware companies of the world, as well as writing about new software releases, industry movements,and Internet activism.

Brexit Negotiations Drive Analytics Growth

Could Britain's exit from the EU drive a new wave of analytics investment and growth? Here's a closer look.

Vocal Commands Arrive for Analytics

Voice interfaces may give many more users access to self-service analytics. Here's a closer look.


Re: Breaches and privacy
  • 4/5/2017 12:24:38 PM
NO RATINGS

@lyndon_Henry If you pay close attention to the wording of the Privacy Shield fact sheet, you'd see that it doesn't prevent obtaining such information and passing it on. If a business gives some cause for it and keeps its customers informed about what data it collects and transfers, it can take personal details in. 

See www.commerce.gov/sites/commerce.gov/files/media/files/2016/eu-us_privacy_shield_fact_sheet.pdf

Maintaining data integrity and purpose limitation  Privacy Shield participants must limit personal information to the information relevant for the purposes of processing. Ensuring accountability for data transferred to third parties  To transfer personal information to a third party acting as a controller, a Privacy Shield participant must: o Comply with the Notice and Choice Principles o Enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles.  To transfer personal data to a third party acting as an agent, a Privacy Shield participant must: o Transfer such data only for limited and specified purposes; o Ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; o Take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles; o Upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and o Provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.

Re: Breaches and privacy
  • 4/4/2017 5:00:17 PM
NO RATINGS

..

Ariella writes that 


...agree with you about the US, though I believe that was deeply ingrained in our culture years before the election. The only thing is that American companies will have to be more careful about how they handle data that comes in from the EU to remain compliant, and that could affect quite a number of businesses with global operations.


 

I think the repeal-privacy bill just signed by Prez Trump pretty much corroborates my predictions (and fears) as expressed in my previous post. Since this allows ISPs now to directly sell your most intimate personal data (social security number, Web browsing history, etc.), it seems to me it goes well beyond what the EU legislation was trying to shelter.

..

Re: 192.168.l.l
  • 3/24/2017 10:18:52 AM
NO RATINGS

Britain will presumably have to negotiate rules with each country individually it would seem. That's going to take some time and create some confusion and maybe chaos down the road. But it is interesting that it's taken about 20 years for the regs to be written but at least there will be some teeth put into enforcement with fines, etc. for repeat violators.

Re: Breaches and privacy
  • 3/22/2017 8:53:39 AM
NO RATINGS

@Lyndon_Henry agree with you about the US, though I believe that was deeply ingrained in our culture years before the election. The only thing is that American companies will have to be more careful about how they handle data that comes in from the EU to remain compliant, and that could affect quite a number of businesses with global operations.

Re: Breaches and privacy
  • 3/21/2017 5:34:15 PM
NO RATINGS

..

In his blog, Jon writes "Only time will tell, but it seems as if the tide may be turning against the idea of mass, digital data collection without oversight."

I for one am not gonna hold my breath, especially with regard to the USA, for at least several reasons:

• The big corporate gorillas have large, well-funded bags of magic tricks that somehow allow them to evade or skirt the rules ...

• The big corporate gorillas basically control the bureaucracies that write the rules in the first place ...

• Trump ... 

..

 

Re: Breaches and privacy
  • 3/20/2017 4:21:42 PM
NO RATINGS

Michelle, I think the entire Brexit process will take years to fully realize there are so many interrelationships and issues that need to be addressed. There are broad scale negotiations that will need to happen within the EU and with outside countries that already had trade deals etc. with EU and now need new ones with the UK. In a changing political climate, I expect it will not be an easy break or an easy process to rebuild.

Re: Breaches and privacy
  • 3/20/2017 2:06:44 PM
NO RATINGS

Joe that's a great point, I don't know that Americans understand their privacy on the same level that people have seen their privacy violated and used against them as you described. If we don't remember history, we destined to repeat it...

Re: Breaches and privacy
  • 3/19/2017 8:22:07 PM
NO RATINGS

@impactnow I'm curious to see how the regulations will be applied once Brexit is complete. New regulations and newly separated state seems like a recipe for complex issues.

Re: Breaches and privacy
  • 3/19/2017 8:18:20 PM
NO RATINGS

@joe so true. We take privacy for granted since we haven't been ruled by a dictator or communist ruling party. According to alarmists, there's still time for us to experience such things. I can see where such things could happen, but not from the same perspective of the alarmists.

Re: Nothing is Sacred
  • 3/17/2017 4:42:36 PM
NO RATINGS

..

Seth writes


I just ran into this article today.  Per the Mirror UK "A sex toy company has been ordered to pay a fine of over £3 million after shipping a "smart vibrator" that tracked customers' usage without their knowledge or consent..........Customers in the US who used the vibrator's associated app, We-Connect, are entitled to the full amount, while those who simply bought the vibrator can claim up to $199 (£160)."  


 

Wow ... and I thought that IoT-connected toilet was outrageously invasive. This takes the cake ... or something ...

..

Page 1 / 2   >   >>
INFORMATION RESOURCES
ANALYTICS IN ACTION
CARTERTOONS
VIEW ALL +
QUICK POLL
VIEW ALL +