November 30, 2015 By Stuart Lauchlan
With the finishing line for 2015 now in sight, the European Union’s long-awaited General Data Protection Regulation (GDPR) is also looming large – and with it will come some unpleasant surprises for US cloud companies.
The GDPR will bring into law a series of changes to data protection and data privacy requirements that all companies with EU customers will have to adhere to, regardless of where they are geographically-based.
Among the most significant amendments waiting in the wings are:
- penalties of up to €100 million, or 2.5% of annual worldwide turnover, whichever is greater.
- increased territorial scope.
- tighter requirements for obtaining valid consent to the processing of personal data.
- enhanced restrictions on profiling and targeted advertising.
- new data breach reporting obligations.
- direct legal compliance obligations for “data processors”.
- extended data protection rights for individuals, including the odious “right to be forgotten” clause.
- processing companies—such as third-party vendors or technology service providers—are now subject to regulation and privacy compliance.
And while GDPR has been bubbling away for years in its formation, one recent study, conducted by data privacy specialists TRUSTe found that over half of US businesses polled are not aware of the new obligations or prepared for them.
There’s some small comfort in the fact that the survey results indicate that UK, French and German customers aren’t much better positioned, but it’s the impact on non-EU firms that will be of most interest as the cloud industry is dominated by US providers.
Awareness was the highest amongst financial services companies (58%) and lowest amongst tech companies that are some of the greatest users of data (43%).
The results of the study and its implications will be discussed in more detail at TRUSTe’s EU Data Protection 2015 – Regulation Meets Innovation conference in San Francisco next week, but for now TRUSTe CEO Chris Babel warns:
The GDPR represents the most significant global development in data protection law in the last twenty years and for many US companies will require a complete restructuring of the way they currently collect, store and transfer personal data.
Despite over four years of high profile negotiations, half of companies are still unaware and there is a worrying chasm between those who are actively preparing and those blind to the changes ahead.
The GDPR is the result of attempts to harmonize data protection law across the EU member states. The existing laws were published as a Directive and as such could be implemented by each country in the way that they chose.
As such, the data protection regime in each member state varies to a greater or lesser degree to others.
The GDPR will be directly applicable in the same form in all EU countries.
Price to pay
The cost of getting ready to meet the new requirements of the new legislation is open to question. The EU itself predicts the cost to European business will be £580 million, but argues that there will be a £2 billion administration saving achieved by eliminating national data rules.
The necessity to notify data breaches is one of the most important changes. The GDPR requires breaches of security relating to personal data to be reported to the relevant data authority within 72 hours of the breach.
Data controllers must also communicate alert the data subject promptly. So no more trying to sweep a breach under the carpet or only admitting to the problem months after the event.
The inclusion of the Right to be Forgotten concept is another thorny issue. This entered the mainstream of data protection debate following the ruling by the European Court of Justice last year in the case of Google Spain v Mario Costeja González, which resulted in Google and other search engine providers having to respond to requests to remove information about individuals from search results.
The burden that this creates was highlighted last week when Google revealed that it has evaluated 1,235,473 URLs for removal relating to Right to be Forgotten requests since May 2014, after receiving 348,508 requests to have URLs relating to people’s names and identities removed from search results.
In the event, only 42% of these requests resulted in removal, but each of them had to be investigated, assessed and adjudicated on.
The Right to be Forgotten has met with opposition from some EU members, most notably the UK which has set out its stall against the ruling, arguing that it’s a charter for criminals and other ne’er-do-wells, such as politicians, to re-rewrite the past.
Other nations are more wholeheartedly in favor, with France upping the ante with a demand that Google implement the Right to be Forgotten worldwide. In its present form, the requirement only applies to European Google domains, meaning that information erased from European searches can still be found on the .com domain. With no authority whatsoever to make the demand, France is insisting that the Right to be Forgotten should apply to every Google domain.
Civil liberties non-profit organization Electronic Freedom Frontier warns that the GDPR is about to make matters a lot worse:
It requires an Internet intermediary (which is not limited to a search engine, though the exact scope of the obligation remains vague) to respond to a request by a person for the removal of their personal information by immediately restricting the content, without notice to the user who uploaded that content. Compare this with the DMCA takedown notices, which include a notification requirement, or even the current Right to Be Forgotten process, which give search engines some time to consider the legitimacy of the request. In the new GDPR regime, the default is to block.
There will also no requirement to inform those who have uploaded information that it has been removed, the EEF adds, which has wider ramifications:
You place a comment on a website which mentions a few (truthful) facts about another person. Under the GDPR, that person can now demand the instant removal of your comment from the host of the website, while that host determines whether it might be okay to still publish it. If the host’s decision goes against you (and you won’t always be notified, so good luck spotting the pre-emptive deletion in time to plead your case to Google or Facebook or your ISP), your comment will be erased. If that comment was syndicated, by RSS or some other mechanism, your deleting host is now obliged to let anyone else know that they should also remove the content.
Without fixing the problem, the current draft risks sullying the entire GDPR project. Just like the DMCA takedown process, these GDPR removals won’t just be used for the limited purpose they were intended for. Instead, it will be abused to censor authors and invade the privacy of speakers. A GDPR without fixes will damage the reputation of data protection law as effectively as the DMCA permanently tarnished the intent and purpose of copyright law.
While I’m deeply skeptical of some of the provisions in the GDPR, it can’t be argued that the existing data protection rules in Europe needed dusting down and improving to meet the realities of the digital age.
There’s still no fixed deadline for a final, signed-off version of the GDPR, but all indicators are towards it being in place as law by the end of 2017. But that said, it’s going to be necessary for cloud providers and other data-centric organizations, both within the EU and without, to start to get their houses in order in 2016.