Data protection has made the headlines following the recent Cambridge Analytica and Facebook scandal which revealed that the personal data of millions of people was harvested from Facebook and shared with the political consultancy firm Cambridge Analytica. The scandal coincided with the announcement of the General Data Protection Regulation (GDPR) in the European Union after four years of preparation and negotiations. What is GDPR exactly and what impact will it have in Europe and internationally?
According to the official website of the EU General Data Protection Regulation (GDPR), the new regulation "replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens' data privacy and to reshape the way organizations across the region approach data privacy".
The EU's new data protection rules are having an impact around the world as firms, including in the United States and China, move to comply. While all firms globally are required to comply with the provisions of the General Data Protection Regulation (GDPR) when it comes to the data of Europeans, the rules may have a wider impact if firms decide to extend the protections to all users.
Major U.S. platforms such as Facebook, Twitter, Instagram and Airbnb have begun to notify their users in Europe of modifications of their user terms in order to comply with the new EU rules. Under GDPR firms' user consent for use of their personal data must be "freely given, specific, informed and unambiguous".
Facebook has recently begun asking its European users that they approve the use of their data in order provide them with more pertinent advertisements as well as permission for facial recognition. But it is still not clear which US firms will apply GDPR to all their users and which will do so only for Europe.
"We intend to make all the same controls and settings available everywhere, not only in Europe," Facebook's chief executive Mark Zuckerberg told reporters as the crisis exploded over the use of user data for political purposes by the firm Cambridge Analytica. "Is it going to be exactly the same format? Probably not," he added.
GDPR applicability
The new regulation will bring the biggest change yet to the regulatory landscape in the European Union given its clear applicability conditions, on the contrary of the previous Directive that was ambiguous and referred to data process "in context of an establishment".
The GDPR will apply to "the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behavior that takes place within the EU. Non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU", according to the official GDPR website.
Under the new regulation rules, users and customers will enjoy numerous rights that will ensure that their data is protected and that they are the only ones that own them.
Customers will have the right to access their data and have it transferred to another company, for example when they change from one cloud data storage provider to another. The EU says this will make it easier for people to change providers for various online services and help new start-ups compete with existing social networks.
Customers will also have the right to ask a company to delete their data if there is no legitimate reason for it to be kept. There have been concerns this could be abused by public figures such as politicians to hide embarrassing incidents, but the EU insists it is "about protecting the privacy of individuals, not about erasing past events or restricting freedom of the press".
It also stipulates that companies must inform users of data breaches "without undue delay" and tell authorities within 72 hours.
Big fines
The GDPR includes a range of tools to enforce the new rules and punish companies for breaches. These include warnings and reprimands and stiff fines for more serious offences - up to four percent of a company's worldwide turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements, according to the official GDPR website, such as not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
"There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -meaning 'clouds' will not be exempt from GDPR enforcement."
Marketing advantage
For Sam Pfeifle, content director at the International Association of Privacy Professionals (IAPP), some U.S. firms will have no other choice but to extend European protections to all users. "For some companies being able to discern where their customers are coming from and segregate the data is very difficult and perhaps too difficult to make it worth it," he said.
Some companies are transforming this pragmatic decision into a marketing advantage, telling their U.S. clients they are offering European-level data protection, said Pfeifle. Other companies are taking the opposite approach; deciding they would rather part ways with European users entirely rather than go through the effort of complying with the GDPR.
In China, there are fewer sensitivities about privacy, and the EU regulation will certainly be viewed more as a constraint than a marketing advantage. "Of course we will respect the GDPR for our European clients," said a European working for a major Chinese internet firm on condition of anonymity. But for Chinese users, the application of such privacy guards is likely for another day.
The Chinese "don't have any reticence handing over their personal data if they see they are of some value" such as in new services or discounts, said the European executive, speaking on condition of anonymity.
Chinese internet titans are currently testing a system that assigns every citizen a social credit system that goes beyond a regular credit rating of a person's finances and payment history by evaluating their behavior and preferences as well as their personal relationships.
But it isn't impossible that the European effort to codify and organize the respect for privacy will have an influence even in China, where internet users have occasionally lashed out.
At the beginning of the year, Beijing said it had reprimanded several Chinese tech firms for inadequate protection of user data following a controversy implicating Alipay, the top Chinese payments platform linked to online commerce giant Alibaba. Users reacted angrily after discovering the platform had been set up to automatically share user data with a credit rating service. Alipay's parent company Ant Financial apologized and redesigned the service so users had to opt in to use it.
A challenge for the Middle East
Companies in the Middle East are not exempt from the GDPR and should consider the new regulation's impact, especially if they have customers, subsidiaries or partners in Europe. Compliance with the GDPR will be considered as a complimentary step to the data protection measures that many companies in the region are already adopting.
The legal risks of failing to comply with the GDPR will force companies in the Middle East to reconsider their data protection strategies applied with European customers and partners. The latters will demand GDPR compliance before sealing any deals.
The new data protection regulation will lead more companies in the Middle East to reinforce their security control and measures. Many countries already have their own data protection regulation but complying with GDPR could be challenging for some given how detailed and strict it is.
Companies in the region will face challenges while endeavoring to comply with the GDPR. They have to prove their ability to manage and protect personal data, increase their investment in data protection, step up their efforts to report data breaches within 72 hours and nominate the team that will handle data protection and privacy.
In order to embrace the GDPR, companies should start by appointing a data protection officer that can monitor the compliance with the regulation and can recommend the best tools to undergo data backup in case the company was attacked.
According to Gregg Petersen, Regional Sales Vice President, Middle East & Africa, Veeam Software, every business should know what personal data it holds, where it's stored, how, and where it came from. They also need to know why they're holding it and how they came to have it. Any or all of these questions might be asked by local GDPR enforcement agencies.