EU privacy law enters into force, activist takes aim
Send a link to a friend
[May 25, 2018]
By Julia Fioretti
BRUSSELS (Reuters) - New European privacy regulations went into effect
on Friday that will force companies to be more attentive to how they
handle customer data.
The ramifications were visible from day one, with major U.S.-media
outlets including the LA Times and Chicago Tribune were forced to
shutter their websites in parts of Europe.
People in the bloc have been bombarded with dozens of emails asking for
their consent to keep processing their data, and a privacy activist
wasted no time in taking action against U.S. tech giants for allegedly
acting illegally by forcing users to accept intrusive terms of service
or lose access.
"You have to have a 'yes or no' option," Austrian Max Schrems said
before filing complaints in European jurisdictions. "A lot of these
companies now force you to consent to the new privacy policy, which is
totally against the law."
The European Union General Data Protection Regulation (GDPR) replaces
the bloc's patchwork of rules dating back to 1995 and heralds an era
where breaking privacy laws can result in fines of up to 4 percent of
global revenue or 20 million euros ($23.5 million), whichever is higher,
as opposed to a few hundred thousand euros.
Many privacy advocates have hailed the new law as a model for personal
data protection in the internet era and called on other countries to
follow the European model.
Critics say the new rules are overly burdensome, especially for small
businesses, while advertisers and publishers worry it will make it
harder for them to find customers.
The GDPR clarifies and strengthens existing individual rights, such as
the right to have one's data erased and the right to ask a company for a
copy of one's data.
But it also includes entirely new mandates, such as the right to
transfer data from one service provider to another and the right to
restrict companies from using personal data.
"It's a gradual and not a revolutionary kind of thing ... However for
many companies it was a huge wakeup call because they never did their
homework. They never took the data protection directive seriously," said
Patrick Van Eecke, partner at law firm DLA Piper.
Activists are already planning to use the right to access their data to
turn the tables on internet platforms whose model relies on processing
people's personal information.
That means companies are having to put in place processes for dealing
with such requests and educating their workforce because any
non-compliance could lead to stiff sanctions.
[to top of second column] |
Silhouettes of
laptop and mobile device users are seen next to a screen projection
of Google logo in this picture illustration taken March 28, 2018.
REUTERS/Dado Ruvic/Illustration/File Photo
Studies suggest that many companies are not ready for the new rules. The
International Association of Privacy Professionals found that only 40
percent of companies affected by the GDPR expected to be fully compliant
by May 25.
DATA PORTABILITY
It is unclear how many provisions of GDPR will be interpreted and enforced.
European regulatory authorities, many of whom say they are under-funded, will
oversee the new law, with a central body to resolve conflicts.
One key provision of GDPR, the right to data portability, is causing particular
confusion.
"I think the data portability rights are pretty significant and are going to
take a while for people to figure out what the bounds of them are and how to go
about complying with them," said David Hoffman, director of security policy and
global privacy officer at Intel.
For example, music streaming services such as Spotify create playlists for users
based on their music preferences. While a user seeking to exercise the data
portability right would be able to move playlists he or she created, the
situation becomes fuzzy if the playlists are created by the streaming service
using algorithms.
EU data protection authorities said individuals should be able to transfer data
provided by them but not "derived data" created by the service provider such as
algorithmic results.
"It's not obvious that you can necessarily migrate the data from your system to
somebody else's system," Tanguy Van Overstraeten, of Linklaters, said.
On the business side, companies are rushing to renegotiate contracts with
suppliers and service providers because GDPR increases their liability if
something goes wrong.
Data processors which only process or store the data on behalf of their clients,
for example cloud computing providers, will be directly liable for sanctions and
could face lawsuits from individuals, and that needs to be reflected in
contracts.
"After 20 years of data protection legislation in place, it's only now with the
GDPR they (companies) start to think about 'what's my role in the whole story?
Am I a data controller or data processor?'" Van Eecke said.
(Editing by Matthew Mpoke Bigg and Alison Williams)
[© 2018 Thomson Reuters. All rights
reserved.] Copyright 2018 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |