GENERAL DATA PROTECTION REGULATION (GDPR) : RESHAPING THE GLOBAL WEB
General Data Protection Regulation (GDPR) : A RADICAL SHIFT IN DATA LANDSCAPE
Executive Summary
1. The General Data Protection Regulation (GDPR) is a new EU law, that changes how personal data can be collected and used. Even companies based outside the EU must follow the new rules if offering their services in the EU. The customers must agree to having their data collected, shared and used for targeted advertising, or delete their accounts. The impact is radical and the penalties of GDPR are severe with maximum fines per violation are set at 4 percent of a company’s global turnover (or $20 million, whichever is larger).
2. The most important changes will be happening behind the scenes. The GDPR also sets rules for how companies share data after it’s been collected, which means companies have to rethink how they approach analytics, logins, and, above all, advertising.
3. Not everyone is ready for GDPR, but companies from Google to Slack have been quietly updating their terms, rewriting contracts, and rolling out new personal data tools in preparation for the massive shift in the legal landscape. So far, it’s mostly been a problem for legal departments, but as policy changes and contract fights go public, it’s started affecting the average web user, too.
4. On the other hand, there are major disruptions in the Tech companies worldwide and there are many which have suspended their services to the European clients.
5. Still, for many on the internet, GDPR remains a black box of legalese and obscure policy. Here’s what you need to know about it.
GENERAL DATA PROTECTION REGULATION (GDPR)
What is the GDPR?
1. The General Data Protection Regulation is a rule passed by the European Union in 2016, setting new rules for how companies manage and share personal data. In theory, the GDPR only applies to EU citizens’ data, but the global nature of the internet means that nearly every online service is affected. The GDPR sets a higher bar for obtaining personal data than we’ve ever seen on the internet before. Any time a company collects personal data on an EU citizen, it will need explicit consent from that person. Users also need a way to revoke that consent, and they can request all the data a company has from them as a way to verify that consent. It’s a lot stronger than existing requirements, and it explicitly extends to companies based outside the EU. For an industry that’s used to collecting and sharing data with little to no restriction, that means rewriting the rules of how ads are targeted online.
2. GDPR’s penalties are severe to get the entire industry’s attention. Maximum fines per violation are set at 4 percent of a company’s global turnover (or $20 million, whichever is larger). That’s a lot more than the fines allowed by the Data Protection Directive, and it signals how serious the EU is taking data privacy. Google and Facebook could withstand a fine like that (they have before), but it would be enough to sink a smaller firm.
3. Most importantly, the GDPR gives companies a hard deadline: the new rules are already in effect from 25th May, 2018. The result has been a mad dash to adapt current practices to the new rules and avoid one of those crushing fines.
What’s going to change?
4. The most visible and immediate changes are coming in Terms of Service and other warnings. The GDPR’s idea of consent requires a lot more than previous regulations, which means companies will be asking permission to collect your data a lot more often.
5. There will also be more opportunities to download all the data a company has on you. Google Takeout have existed for a while, and smaller services like Slack are starting to roll out similar options to satisfy the GDPR’s data portability requirements. That helps in two ways: it lets you check what companies are collecting, and it could help unwind platform dominance by letting you transfer data between networks. If you want a way to export your Facebook messages to Ello, the new portability requirements will ensure there’s a way to do it.
6. The most important changes will be happening behind the scenes. The GDPR also sets rules for how companies share data after it’s been collected, which means companies have to rethink how they approach analytics, logins, and, above all, advertising. A single site could easily have 20 ad-targeting partners, often invisible, all of these partners have to be brought into the open, and their contracts have to be rewritten to comply with the GDPR. That means unearthing a notoriously messy system that’s been built on the idea that there’s no cost to sharing data.
The Impact: Will this actually make online data collection less invasive?
7. It’s too early to say. We know roughly what compliance looks like, but we still don’t know what enforcement will look like or how aggressive the EU regulators will be. The simplest takeaway is that breaches will get a lot costlier, and that cost will be spread a lot further through the network. It will get more expensive to share user data.
8. An imminent divide between the European Union and the rest of the internet with the result that the European users seeing a meaningfully different internet from the rest of the world.
9. So much of the internet is based on the free exchange of user data, the NSA can use the same system to track users across the web, and political firms like Cambridge Analytica (The company is likely to stop operations post the Facebook scandal) can use it to quietly single out particular subgroups. The GDPR is starting to roll it back, but the most profound changes will take years to play out, potentially reshaping the web as we know it.
10. The General Data Protection Regulation has gone into effect on May 25th, and no one is ready — not the companies and not even the regulators. In a recent meeting with the European Parliament, Mark Zuckerberg declared that the ‘Facebook’ would be GDPR compliant by the deadline, but if so, the company would be in the minority.
11. It’s not a pleasant position to be in, because GDPR can allow regulators to fine companies up to 4 percent of their global revenue for violations of GDPR. To put that in perspective, a 4 percent fine on Amazon would be $7 billion. (Interestingly, since a company like Amazon reports huge revenues and relatively small profits, a 4 percent fine could cost them over two years of profit.)
12. Another GDPR provision that might strain regulatory resources is the data breach notification requirement. Companies are required to notify a relevant data protection authority within 72 hours of discovery, but what the regulator does afterward is not entirely clear. Regulators may not be ready to audit a company’s security or figure out exactly what to do to protect EU residents affected by the breach. But still, they have to do something. They might have some flexibility on how to respond, but the GDPR won’t allow them to do nothing.
Tech Companies block EU users
13. Major disruptions reported so far are as under:
a. Pinterest’s news-clipping service Instapaper is one of the most high-profile services to announce that it will bar EU users from accessing its platform.
b. The movie and TV review app Stardust has gone even further. It has removed its product from EU versions of Google Play and Apple’s App Store, and deleted all EU residents’ records.
c. Unroll.me — a service that promises to declutter users’ email inboxes of unwanted messages — is another product to have temporarily halted its service to EU customers and deleted accounts.
d. Payver — a San Francisco-based dashcam app has signaled that they are pulling out of the EU and do not intend to return.
e. Several video games companies are also blocking EU citizens’ access to older products rather than update them. They include the multiplayer shooter Loadout.
f. Super Monday Night Combat — the arena shooter closed down earlier this week blaming GDPR for the move.
g. Ragnarok Online — the role-playing game says it will block all visitors from Europe.
h. Tunngle — a service that allowed gamers to connect their PCs together to play titles within a local network — closed last month saying it lacked the funds to make necessary changes.
New Opportunities
14. For some, however, the situation has presented an opportunity. Several services have cropped up offering a way for website administrators to block EU-based visitors rather than check their pages meet the new requirements.
What is the right to be forgotten?
1. People can also ask for their personal data to be deleted at any time — if it’s no longer relevant. This is known as the right to be forgotten. This right also applies online. Someone could ask a company that has made their personal data available online to delete it, for example. Those companies are obligated to inform others that the owner of the personal data has requested the right to be forgotten. The data, links to it and copies of it, must be deleted.
How will the GDPR affect business?
2. Companies with more than 250 employees must document all of the data they are processing, including why, how customers opted in, who can see the data, and a description of their security measures. Smaller companies might need only to document data they process on a regular basis, or data they process that is sensitive. Some business groups have raised concerns, as recording this additional information will be a burden.
3. Indian Government may have to revisit Indian IT Act 2000 as company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.
Prima Facie Business Sectors Affected in India
Services Sector
4. In India, major markets for IT software and services exports are the U.S, U.K. and Europe, accounting for about 90% of total IT/ITeS (IT Enable Services) exports. According to European Commission, in 2016, Indian service sector exports to the EU were € 13.6 Billion along with the goods trade of € 41.7 Billion. Europe is estimated to be a $45 billion potential outsourcing opportunity for Indian technology services vendors. GDPR compliance will, therefore, be critical for the Indian IT industry. India will have to assess and make commensurate changes to its status in keeping with the global IT regulatory environment.
Telecommunication and Retail
5. GDPR will be a huge responsibility for data rich sectors like retail and telecom. These sectors collect and analyze valuable / critical data like customer’s purchase history and contact details. The data gathered and stored by retail and telecom organizations allows them to provide mobile and online services to customers. Organizations which plan on monitoring and processing personal data on a large scale, will now need to employ GDPR officers to carry out this mandate.
Conclusion
1. The era of US dominance over the Global Data seems to be unquestionably over now and the GDPR can safely be dubbed as the ‘last nail in the coffin’. The EU Lawmakers in Brussels passed the new legislation in April 2016, and the full text of the regulation has been published online. Misusing or carelessly handling personal information will bring fines of up to 20 million euros ($23.4m; £17.5m), or 4% of a company’s global turnover. In the UK, which is due to leave the EU in 2019, a new Data Protection Act will incorporate the provisions of the GDPR, with some minor changes. All EU citizens now have the right to see what information companies have about them, and to have that information deleted. Companies will now have to be more active in gaining consent to collect and use data, in theory, spelling an end to simple “I agree with terms and conditions” tick boxes. Companies will also have to tell, all affected users about any data breach, and tell the overseeing authority within 72 hours. Each EU member state must set up a supervisory authority, and these authorities will work together across borders to ensure companies comply.
2. In India BN Srikrishna is a genial, 77-year-old former Supreme Court judge who recites Shakespeare and Sanskrit scriptures with equal facility. But he’s making the likes of Google, Amazon and Facebook more than a little nervous. Srikrishna is leading the effort to draft new data-privacy laws for India that will regulate how tech giants from the U.S. and elsewhere operate in the nation of 1.3 billion. His recommendations carry particular weight because India is already the biggest market for companies like Facebook Inc. and offers enormous potential for dozens more. The committee Srikrishna helms will send its bill to the government this week as the Government mulls over re visiting IT Act 2000.
PUNKEJ DUTTA
HEAD: Fraud Risk Management (FRM)
CoE, GCS, RCP, Navi Mumbai
