How EU is going to save Data Privacy

European Union sets the silver lining on the Data cloud.

Whether you love it or hate it, there’s a new EU regulation coming up. If you live in an EU country, you know all about the sometimes outright comically sounding EU regulations, like this one, regarding the shape of bananas.

But fruits aside, the European Union is working on replacing an old data protection regulation with a new one, titled the “General Data Protection Regulation”. This directive, applying to member states in 2018, focuses on regulating how personal data is processed and stored and it will be part of set of EU’s privacy and human rights laws.

New reform of the previous regulations were proposed in 2012 and was entered into force last May. The regulation has a two year grace period allowing countries and companies to prepare for the change.

The new era of digital privacy

Here are just some of the new rules and regulations set:

Individual control of personal data

According to the new standards, individuals should be able to control and view their data and should be informed when their data is being collected. Interestingly the reform requires opt-in model for data collection except in certain circumstances. And you still have to be notified, even when you can’t opt-out, such as in cases where gathering data is legally required. The legislation also includes a clause, which states that users affected by mishandled data are entitled to compensation as well.

The regulation also states that users must easily be able to move their data from one company to the other. This also includes the ability to permanently delete your data. This is something that brings assurance, that your data is actually removed and not simply unlinked.

Transparency requirements for companies data protection policies

What this means is that companies are required to publish information on how exactly they are protecting the user’s data. The regulations actually suggest using simple icons to indicate where and by whom the personal data is processed and stored (perhaps something like this?).

Data protection

The reform introduces new obligations for companies regarding protection of data. The obligations include for example requiring a specific data protection officer in companies who is in charge of the data processed and reporting to a supervisory agency (this officer, although is not required in smaller companies).

The regulation also requires companies to invest in designing data protection policies as a part of their business plan. Data protection techniques suggested include anonymization and encryption of personal data.

Breach notifications

Companies are required to notify of security breaches that have caused or might have caused loss of personal data. The notification must be made as soon as possible (though, within 72 hours) to both authorities and people affected by the breach.

Of course, all this wouldn’t be much without the best incentive for companies, money. The regulations set sanctions that can be imposed to companies failing to comply with the regulations, that can be as much as 20 million euros or alternatively, 4 % of the company’s annual turnover.

Fight against the US

Historically, when it comes to protecting user data, the United States has been an advocate for market-driven and self-regulating rules for data protection. In some industries this is fine, such as the in credit card industry with their Payment Card Industry Data Security Standard (PCI DSS), which is an industry standard throughout the world for protecting credit card data. But the US still lacks a uniform legislation. How regulating this kind of data works in the US, is that there are multiple laws, each setting regulations in a certain area (such as health sector) or protecting certain groups (such as children or mobile phone users).

Sure, regulating medical history data is easy to understand, but when the amount of data that is collected online increases, the personal meaning to that data does too. Which one would you rather be public: your medical history, or your browser history?

It’s hard to have market driven privacy, when your whole market depends on collecting and selling personal data. This, of course, is likely not going to change in the following years of Trump’s America.

Since the internet has no borders, In 2016, in an effort to force strict EU standards to apply to EU citizens everywhere, the EU singed a deal with the US establishing the new “Privacy Shield”. Purpose of the agreement was to allow personal data from the EU to retain the same level of protection as it does within EU borders. Regardless of where the data was transferred and processed, if the data is from the European Union, it’s secured under the Privacy Shield legislation. Unfortunately, in the last few months, there has been concerns on it’s legal stability that might indicate the agreement is not on solid ground. The new EU regulation should, however, cover the protection of user data wherever it goes and US companies should abide by it if they want to continue doing business in Europe.

Spying vs. “Collecting data”

In the wake of the recent publications of the hacking methods used by the CIA, there’s been tremendous public interest on government level surveillance. The not-so tech-savvy hear that the CIA can hack your smart-tv and start to feel uneasy that an international spy organisation might hear their evening conversations by the television (even though it would actually require them to break in your house).

So CIA can hack your Android phone, but whatever you do online these days is stored somewhere. You don’t even have to be targeted.

How all these regulations will work in practice, remains to be seen. But what is clear, is that these rules set the right direction for enabling people to better manage their personal data and set clear obligations to companies for securing the data. However, this comes with a price of more administrative burden to companies.