Washington, DC – The GDPR roll out is just days away, and people’s’ inboxes are receiving a steady stream of privacy updates from sites that they are subscribed to. But despite the regulation coming in to effect on May 25, 2018, a recent survey shows that 40 percent of companies do not expect to be in compliance by that date. The study also shows that mid-sized companies with 5,000 to 25,000 employees report the highest readiness level for GDPR compliance as opposed to small and large businesses. The majority of respondents said that the biggest hindrance to compliance is the need to make comprehensive changes in business practices. The penalties for non-compliance could be up to €20m or 4 percent of global turnover, whichever is the greater amount.
Every since Facebook’s data breach scandal broke, companies have been taking a long, hard look at customer data privacy. Instagram, which is owned by Facebook, announced a personal data download feature to users in an effort to comply with GDPR.
WhatsApp, which is also owned by Facebook, also announced today that users will be able to download their personal data. WhatsApp is also raising the minimum age of users in Europe from 13 to 16 in Europe comply with GDPR, but its minimum age for users in other parts of the world will remain 13. While Facebook has said that it will comply with GDPR for users in Europe, but in an interview with Reuters earlier this month, Mark Zuckerberg said that Facebook “would apply the EU law globally “in spirit,” but stopped short of committing to it as the standard for the social network across the world.”
Apple Inc, like Twitter, has said that user privacy protections will apply globally.
Facebook is in the news again regarding user privacy after the revelations about the Cambridge Analytica data misuse. After five days of silence, FaceBook CEO Mark Zuckerberg posted a statement on Facebook, “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you. I’ve been working to understand exactly what happened and how to make sure this doesn’t happen again. The good news is that the most important actions to prevent this from happening again today we have already taken years ago. But we also made mistakes, there’s more to do, and we need to step up and do it.”
Zuckerberg’s statement might not be reflecting the full extent of the fiasco, but there are enough red flags being raised globally. Zuckerberg has been asked to testify by the leaders of the House Energy and Commerce Committee. The Office of the Privacy Commissioner of Canada has also launched an investigation regarding alleged unauthorized access and use of Facebook user profiles.
This is quite the prelude to the General Data Protection Regulation (GDPR), an EU privacy law that will come into effect on May 25, 2018. It will regulate the treatment and use of personal data belonging to EU citizens. Global companies, including those in the US, come under the purview of the GDPR if they collect or process personal data of EU residents, even if they are based outside the EU. This will have a global impact on how business is conducted. It also gives every EU citizen the right to find out (upon request) which company collects what personal data and how it is used.
Personal data includes, but is not limited to, names, physical addresses, email addresses, IP addresses, behavioral data, location data, biometric data, genetic data, and financial information. Under GDPR, even data collected under a pseudonym will be considered personal data if it can be linked to a particular individual.
GDPR defines data processing as collecting, managing, using or storing any personal data of EU citizens. As an example, if your mailing list contains the email address, name, or other personal data of any EU citizen, then you are processing EU personal data.
Penalties for companies that violate GDPR can be quite high. For a small offense, such as not informing data subjects about a data breach, companies can be fined 2% of their annual global turnover or €10 Million, whichever is higher. For large offenses, such as insufficient customer consent to process data, the fine can be up to 4% of annual global turnover or €20 Million, whichever is higher. These regulations apply to both data controllers and data processors, bringing cloud service providers within the scope of GDPR. Controllers have more obligations under GDPR. For example, if you are collecting personal data and contract a cloud service to store the data, you (the controller) have to ensure that the cloud service provider (processor) is adhering to GDPR requirements.
Under GDPR, individuals have an opt-in system which gives them greater control over their personal information. When companies collect personal data, individuals have a right to know know what a controller is doing with their information, the right to access that information, know what it is being used for, and if that information is being transferred to third parties. For controllers that raises a new responsibility to be transparent in how they are handling information.
GDPR has also established stricter consent requirements so that companies will no longer be able to use long illegible terms and conditions full of legalese. The request for consent has to be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. “Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.”
In his statement on FaceBook, Zuckerberg acknowledged that they learned about the misuse of data by Cambridge Analytica in 2015 from journalists at the Guardian. In an interview with CNN, Zuckerberg has said that the 50 million users whose information was collected by Cambridge Analytica will learn about it ‘soon’. Imagine this scenario in the context of GDPR requirements which state that if there is any data breach, such as loss, alteration or unauthorized disclosure or access of personal information, a notification has to be issued within 72 hours of discovery of the breach.
Even after appearing on CNN, Zuckerberg didn’t seem to apologize for such macro-level breach of micro-level personal data. Living as we are, in the social media age and expanding horizons of the Internet, the path on the virtual highway will have privacy boundary testing bumps. But it will be naive to expect the Big Data builders, miners and users to have a “moral” filter. The European Union, which has been in the forefront of safeguarding personal data, is providing a stringent mechanism to its citizens to be savvier and exercise the GDPR to guard their own data. This is also likely to deter companies from collecting information unless there is a legitimate reason, and having a more unified privacy regulation around the world is likely to bring long-term benefits to businesses and organizations, as well as individuals.