New EU Regulation on PD Protection Enters into Force

    In late May, the European Union plans to tighten the requirements for the processing of personal data. Read more about the innovations and reactions of IT companies - under the cut. / photo Stock Catalog CC

    What is GDPR

    The General Data Protection Regulation is a data protection regulation that aims to tighten, among other things, the regulation of the field of PD within the EU. It will enter into force on May 25, 2018 and will replace Data Protection Directive, a directive adopted in 1995.

    GDPR will affect any companies and organizations that somehow process PDs of EU citizens (including American IT corporations). Based on this situation, the US Department of Commerce in July 2016 developed the EU-US Privacy Shield mechanism (protection of PD within the framework of US-EU cooperation). Its task is to help American companies bring their activities in the EU into line with local directives on working with PD. In October 2017, the EU-US Privacy Shield was approved by the EU itself and became interested.More than 2,000 companies, including Google, Microsoft and Facebook. However, European observers have repeatedly criticized this mechanism for insufficient rigidity in regulating work with PD.

    How GDPR Works

    The regulation is binding. Penalties in case of non-compliance - up to 20 million euros or 4% of the annual turnover of the company, which will be determined on the basis of revenue not only in the EU, but throughout the world. The regulator intends to apply fairly general provisions of the regulation in the interests of EU residents - companies most likely will not be able to find any loopholes here. For example, the responsibility extends to any organization with a staff of more than 250 people, but does not exclude companies with fewer employees if business activities pose a risk to the rights and freedoms of EU citizens. This wording potentially affects any company.

    The law distinguishes two categories of organizations: data controllers and data processors. Operators are companies that store PD. Processors are any companies that use this data. The regulation places equal responsibility on both categories. If the company uses a third-party service that does not meet the requirements of the GDPR, it does not automatically comply with the requirements of the regulation. Thus, the introduction of a new regulation will mean a review of the relationship of the business with cloud providers, SaaS startups and payment organizations.

    The PwC study showed the serious attitude of American companies to GDPR - 68% of companies plan to spend from 1 to 10 million dollars to meet new requirements, and 9% of organizations - more than 10 million dollars. ByAccording to the Ovum report, two-thirds of US companies believe that the new regulation will force them to reconsider their strategy for working in the EU. At the same time, most American companies say that European businesses get a competitive advantage, and Americans will be fined. Consulting agency Oliver Wyman predicts that the EU can raise at least $ 6 billion in fines for the first year since the introduction of the new regulation.

    Google's response to GDPR

    The new regulation forced Google to make adjustments to the work of almost all of its services. For example, user agreements have been updated for AdWords and Google Analytics to alert you to GDPR requirements.

    In cases where Google and the client company that uses its applications act as independent data operators from each other, Google will update the current agreements and also introduce new so-called “inter-operator” agreements (controller-contoller terms). The essence of these inter-operator agreements is that both operators (Google and the client company), in their sole discretion, manage the PD within the framework that meets the requirements of the GDPR.

    According toPageFair, such an agreement is fraught with companies using Google services. Indeed, in this case, the IT giant can gain access to the PD collected by the client company. In this case, the client company will not be able to notify its users about how their PDs will be used. Given that the GDPR distributes responsibility among all information processors, other processors run the risk of breaking the contract if Google abuses its position.

    Also, Google will launch a non-personalized advertising service to meet GDPR requirements . Using this service, customers will be able to advertise products without resorting to collecting PD of their users.

    Facebook's reaction to GDPR

    On its website, Facebook announced ongoing work to meet GDPR requirements. The company has expanded the data protection department in Dublin, and also made it the main coordinating all efforts in this direction. For example, in late March, Facebook closed its “Partner Categories”. They allowed site advertisers to use PDs collected by major third-party operators Datalogix, Epsilon, Acxiom, and BlueKai.

    However, it is still unclear whether Facebook plans to comply with the GDPR requirements globally or will try to comply with the requirements exclusively in the European segment. Last week Mark Zuckerberg in a telephone interviewReuters rejected the widespread introduction of changes to the platform and noted that the company was working to ensure that part of the GDPR requirements worked on a global scale, but declined to comment on which part was in question.

    In an open letter to Zuckerberg, a number of American and European consumer protection organizations demanded that the company “confirm compliance with the requirements of the GDPR at the global level, as well as provide a detailed plan of the ongoing activities in this regard." No official response has been received from Facebook at this time.

    More content on the First Corporate IaaS Blog:

    Also popular now: