Enviable Upcoming EU Legislation: GDPR

[LZ1 662]

Hello!

 

Next year, around May, the EU will enact the GDPR. The General Data Protection Regulation adds some interesting new things to the requirements for how data is protected, how companies are punished for breaches and other measures that hopefully ensure that people can rest more easy in regards to data protection. I assume AirVPN will fall under these rules, being based in Italy. Although I suspect Air will have a vastly easier time living up to any and all rules, given it already tries to minimise how much it knows about its users. But for large companies, this new regulation is a huge headache. There's even talk about how ransomware could threaten companies with exposing the breach of company security to the public, thus meaning the company gets fined for a % of its global revenue. A potent threat.

 

After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016. It will enter in force 20 days after its publication in the EU Official Journal and will be directly application in all members states two years after this date. Enforcement date: 25 May 2018 - at which time those organizations in non-compliance will face heavy fines. 

 

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. The key articles of the GDPR, as well as information on its business impact, can be found throughout this site.

 

Some highlights from the above link, about GDPR:

 

What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

 

Who does the GDPR affect?
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.

You can view the key changes here.

 

Thoughts? I think it's interesting. Even if everything doesn't go according to plan, I think that it's nice to see that someone is doing something for data security at least.

[Guest]

Yeah heard obout this. Sounds good to me so far!

 

Organizations can be fined up to 4% of annual global turnover for breaching GDPR 

 

 

Now that's a an incentive

[LZ1 662]

Yeah heard obout this. Sounds good to me so far!

 

Organizations can be fined up to 4% of annual global turnover for breaching GDPR 

 

 

Now that's a an incentive

Exactly. It's a superb tool for handling multinational companies. But it's also something which will make a lot of companies scramble to get things sorted out before next year, as these things aren't necessarily easy to implement. There's a whole slew of things which have to be considered for each company.

[serenacat 83]

"There's a whole slew of things which have to be considered for each company."

Certainly worthwhile goals and things need to be done, but curious about the devil in the details.

 

Under local Australian consumer law, "American-style" websites and corporations have general terms and conditions such as:

"By clicking the Agree button you agree to <weburl>", but this is DOES NOT override local law, and is just nonsense, but some people can be fooled some of the time (even if not Trumpistan retards). So no opt out, otherwise people will just do what happens with software EULAs and installing PlayStore apps.

 

The most detailed customer information is most useful to "support staff" for handling problems or issues, but larger corporations including telcos have offshored this to call centres in places like India and Philippines, where corruption is widespread at all levels and people are desperate for money. Even if widespread "harvesting" is difficult, targeted details for investigators, debt recovery etc may still be quite high volume networks. Will there be incentives for call centers to return to customer nations in the EU ?

Would save trying to be nice to someone who reads from a script, and does not seem to understand what you tell them, and with grammar and accent which gives you a headache, when trying to sort out some serious problem, on the third call.

 

Air uses a payments processor and avoids retention of most customer info, so Avangate takes responsibility for security and transaction integrity, but that is their business. Similarly, some larger corporations debit my credit card monthly, but outsource the financial transactions. But .local small businesses seem to just use their inhouse accounting and customer relations systems, possibly running on Windows whatever, with the computer box in the premises, supplied by some local computer shop or business.

My dentist uses my mobile phone caller line id to pull up my customer details for the front desk receptionist to also deal with calls. Although I can pay by credit card with a EFT handheld terminal, after approval it seems to all go in the same accounting system as if I made a cash payment, and the same receipt is printed. So I suspect I could go and break in and steal the computer gear for sale and copy all the data right now. So how do these laws "scale down" ?

[OpenSourcerer 1359]

If we don't want US laws to apply to the EU, why do we want the EU laws to be applicable to the US?

 

Also, I think lobbyism will be a bit stronger than this. The last word has not been spoken yet.

[LZ1 662]

If we don't want US laws to apply to the EU, why do we want the EU laws to be applicable to the US?

 

Also, I think lobbyism will be a bit stronger than this. The last word has not been spoken yet.

Well I thought the premise was because EU laws are generally stronger/better.

[guppy 10]

If we don't want US laws to apply to the EU, why do we want the EU laws to be applicable to the US?

 

They aren't trying to make EU laws for US - but if a company (regardless of where it's main seat is) want's to do business in the EU it has to follow EU law.

 

You may think 'fine facebook will just stop doing business in EU then, see how well you get on' - but the EU accounts for a very large portion of their income. To put it another way; it will hurt facebook/google/adobe/MS more to pull out of Europe than the other way around.