EU GDPR & Privacy Shield: What to expect and how it will affect your personal data protection

What is GDPR and why should you care? Because it’s the future of Internet regulation in the EU and it affects web publishers, advertisers, and users.

General Data Protection Regulation Is A Good Idea

The EU General Data Protection Regulation is supposed to be the most important change in personal data protection regulation since internet privacy became a mainstream issue. The legislation has taken more than four years to prepare and is a complex set of regulations governing the collection, storage and use of data.

The data bill was passed by EU Parliament on April 14, 2016, and is set to go live mid-2018, May 25^th. It is replacing Data Protection Directive 95/46/EC and will reshape the way business, organizations and governments think about your data and online privacy. The penalty for non-compliance: heavy fines but that may not be enough.

• Point of note. The original Data Protection Directive does not carry the weight of law. It is a goal that EU member nations are meant to achieve on their own terms. This means a hodge podge of regulations that make cross-border activity difficult at best. The new EU General Data Protection Regulation is a regulation, a law that must be followed by all EU member nations of face penalty.

A lot has changed since the original directive was enacted, there are more Internet users every day and with the spread of IoT are creating more data than ever before. The EU GDPR is a tool meant to create uniformity in Internet protection laws among the diverse member states to provide better protection for its citizens. Without proper regulation, it would be possible for website owners, ISPs and just about anyone else to build thorough, detailed, descriptive, informative dossiers on every one of us.

The law itself looks at data collection from two perspectives: the controller and the processor. The controller is anyone who is in control of the purpose, conditions, and means of processing data while the processor is anyone or anything that does the actual processing on behalf of the controller. This may sound like the same thing but it isn’t, it’s just legal jargon to mean anyone who may collect, purchase or process data and companies that may do the business of processing data for others.

3 Key Areas of Personal Data Protection

The new regulation focuses on three key areas of personal data protection:

1. Territorial scope,
2. Consent,
3. Penalties.

In the past, it was questionable as to exactly whom the EU DPD 95/46/EC applied too. Entities residing outside the EU or with data collection and processing equipment located outside the EU have in the past been able to wiggle their way through loopholes but no more. The GDPR makes it clear who is covered and that is anyone residing or located in the EU and any business/organization collecting and using data derived from those persons irrespective of their location. Further, non-EU businesses engaged in processing the data of EU citizens will have to appoint a representative in the EU for legal contact.

Rules governing consent have been strengthened to force those collecting data to fully inform the public. The EUGDPR.org uses the word “legalese” to describe the overly small, ridiculously complex and relatively uninformative consent forms and disclaimers used by many websites today. Now, anyone engaged in collecting data will have to fully disclose in plain terms what they are collecting and why they are collecting it.

A word used throughout the document is unambiguous, as in there should be no doubt as to who, what and why data is being collected along with consent to collect. Parental consent will be required for persons under the age of 16, and this may be as low as 13 in some member states if they so chose. The law goes on to require data collectors make withdrawing consent easy too. Websites have been known to make withdrawing consent so frustrating most Internet users give up before completing the task.

Penalties are harsh and delivered on a tiered basis. Minor infringements like not having records in order or non-compliance with breach notification procedures may be fined 2% of annual global turnover. More serious infraction like not obtaining proper consent to gather or store data, or for violating core principles of the EU GDPR, can be fined up to 4% of gross turnover. These rules apply to both the controllers of websites and data collection schemes as well as the processors which means clouds and non-EU businesses are not exempt. There is a cap of 20 million euros so very large companies may not feel much sting with this bite.

Another question answered by EU GDPR is what makes data personal?

According to GDPR, personal data is any information about a person, known as a “data subject,” that is directly or indirectly identify a person. This covers anything from your screen names to your bank accounts, medical information, social media posts or anything else that may identify you. In today’s world that may be as little as which websites you logged into from a certain IP address. Think about it, your computer knows who you are and so can everybody else on the Internet if your data isn’t protected.

Internet User Rights Equals Privacy Shield

In addition to the core principles, the GDPR is working to protect the rights of Internet users before the data is even collected. They are doing this with the list of Data Subject Rights which details the basic rights Internet users can expect and what to do if they are not respected.

• Breach Notification.

Unlike today where businesses can get away with not informing the public their data has been breached notification will become mandatory. This means that site owners will have a limited time to notify the public, 72 hours, or else face penalties. Data processors will be required to notify their customers, the website owners, “without undue delay.”  This is crucial because many Internet security professionals say zero-day attacks, attacks that go unreported, are the leading cause of data loss. Quick response time and sharing of information is the fastest and best way to stop the spread of Internet attacks.

• Right To Access.

The new GDPR will protect the individuals right to know what, where, by whom and for what reason their data is being collected. A citizen will be able to contact data processors and request at no charge full digitized copies of what has been collected about them and how it has been compiled. This also encompasses data portability. Data subjects are entitled to receive easily portable and transmittable copies of all their data.

• Right to be Forgotten.

The new rules expand on previous Right to be Forgotten rulings and make it easier for Internet users to control their data. They can request controllers delete data or information, or stop disseminating it or possibly even for processors to stop analyzing it. There are of course conditions for deletion the number one being relevancy but that doesn’t matter in data collection cases where consent has been withdrawn. Site owners have a responsibility here as well. They have to weigh the relevance of the data with the request for deletion. If the information is still relevant to the public, however old or out of context, it may not get withdrawn.

• Privacy By Design.

Privacy by design is not a new concept, far from it. It has been around since before the dawn of the modern Internet. Several notable Internet developers have tried to incorporate security and privacy features into the Internet but have been blocked at every attempt. Until now, in the EU at least. The EU GDPR will require that data protection and privacy features be incorporated into new systems from the start and not as add-on features after the fact. This design includes the way in which data is collected and handled as well. Data collectors will be constrained to collecting only what they need as well as controlling access and storage of that data once collected.

• Data Protection Officers.

Up until now, all data collecting websites were required to log their collection and processing activities with a local Data Protection Administration. This process was time consuming, ineffective and a bureaucratic nightmare for multinational corporations operating abroad. This process is being replaced by internal record keeping on the part of site owners, data collectors and processors with oversight from regulators. Only those operations deemed needing a DPO will be required to have one. These include operations processing large amounts of data, certain categories of information or information regarding the criminal or legal action. The DPO must be a staff member or dedicated service provider, they must be appointed based on qualifications, they must register with the DPA, they must have the proper tools to do the work, they must report to the highest level of management and they must not engage in any other activities that may result in a conflict of interest.

People living in the UK may be wondering if these rules apply to them or if they should even worry about them, what with the Brexit and all. The answer is yes. Whether or not you live in the UK or the EU, these laws apply to you if you are collecting data about EU citizens or visiting sites operated by EU citizens. Regardless, the UK government has indicated it will pass similar legislation so UK citizens will have to live with it no matter what.

EU GDPR Not Without Controversy

There were a number of controversial issues with the EU GDP regulation. The foremost was data portability. In the original proposal documents portability had its own article, article (18), but was later condensed and included into the right to access article, article (15), in the finalized parliamentary text. The main differences between the versions pertain to controllers ability to supply data, the format in which the data is delivered and a means for them to protect themselves from loss of intellectual property. The main arguments from supporters are that the law leaves plenty of wiggle room for organizations to squirm through. For one, a controller may not have to deliver your data to you if it is not “feasible”. For another, data can be said to include or be derived from proprietary methods making it a risk to deliver. Opponents say the cost of improving technology and supporting such a scheme is disproportionate to the benefit.

One-stop-shop is the idea that there would be a centralized or main body to oversee the implementation and enforcement of EU GPR. While it seems common sense to have it this way the plan is not without issue, number one being the organization of what is now a multinational and fractured effort to protect consumer rights. In the first version only the DPA of the member nation in which the main body of a controller was located would have jurisdiction. This left open the possibility of cross-border disputes which was addressed in later versions of the law. The final version allows for the DPA in any member nation to enforce the law with each required to alert / inform the lead DPA overseeing any individual controller / processor. Regardless, the solution leaves much to be desired. Arguments include balancing a high potential for red tape with a need to provide the citizenry with adequate access to redress.

The Data Protection Officer was another topic of hot debate as both sides saw problems with the idea. On the one hand a centralized officer is a good idea as it provides a go-to person for all things related to data collection and compliance. The argument is that multi-national operators may have a hard time coordinating with multiple DPA’s and vice versa. A DPA located in a member nation but not the nation in which a controller headquartered may face language and other barriers to implementation. What all versions of the law agree on is that DPA’s should be appointed in the cases of controllers that are public authorities, engage in business that requires regular/systematic monitoring of data subjects or meets a certain threshold for size and volume.

EU GDPR Timeline And Key Dates

The EU GDR has been a long time in the making. Legislation was first enacted in 1995 and now, after more than 20 years, it is close to becoming law.

• October 24^th, 1995 – The EU Data Protection Directive 95/46/EC goes into action. This is a set of standards EU member nations are expected to follow but their implementation and enforcement is left to the individual nations. This was the law of the land, so to speak, until 2012 when things started to change.
• January 12^th, 2012 – The EU Commission proposes an updated version of the data protection directive and delivers a draft version to the EU parliament. The draft worked its way through parliamentary procedures over the next two years.
• March 12^th, 2014 – The EU Parliament passes its own version of the legislation after the first reading showing widespread support for the measures. It then moved on to the Council of the European Union.
• June 15^th, 2015 – The council had control of the legislation for a little over a year. They finally passed it, also in the first reading, creating what is known as the “general approach”. The document then moved on the “trilogue”, the final stage in the passage of EU legislation.
• June / December 2015 – The general approach was thoroughly hashed out over the course of 10 meetings in the second half of 2015. These meetings covered every article and detail of the proposed law with ample time spent discussing remaining issues. On December 15^th an announcement was made indicating the final text was ready and would be signed into law.
• April 8^th, 2016 – Adopted by the EU Council.
• April 16^th, 2016 – Adopted by the EU Parliament
• May 2016 – Published in the EU Official Journal with enforcement to begin 2 years from that date.
• May 2018 – Enforcement of EU GDPR to begin.

EU GDPR Will Help Protect Your Data, So What?

The EU GDPR legislation is certainly a step in the right direction but there are 3 letters that make a lot of it moot: VPN.

If you use a VPN, your Internet use is already anonymized, hidden behind false IP addresses and virtually undetectable by outside influence so your data is already not being collected. At least, any data that is being collected isn’t attached to you and can’t be traced to you unless you tell someone it’s you. Obviously, you need to remember to avoid common Internet security mistakes and voluntarily leave data about yourself on the websites that you visit.

Yes, EU GDPR will help protect consumer use of the Internet but it won’t prevent data collection and loss.

Le VPN is a top provider of high-speed VPN service and only costs a few dollars per month. The added benefit is that along with anonymity is security in the form of top-level encryption. This means that all your Internet connections will be safe from prying eyes; even if they are able to hack you they won’t be able to read your information. If you think that is important you need to get Le VPN.