Europe's GDPR privacy law heralds new era in online data protection

Companies obliged to follow rigid consumer code with arrival of new regulations

A protester waves a European Union (EU) flag beside cutouts of Facebook Inc. Chief Executive Officer Mark Zuckerberg during a protest outside the Berlaymont building ahead of his testimony to the European Union (EU) parliament in Brussels, Belgium, on Tuesday, May 22, 2018. Zuckerberg will tout the companys investment in Europe and again take responsibility for privacy failures, according to testimony prepared for an appearance Tuesday in front of the regions parliament. Photographer: Dario Pigantelli/Bloomberg

Tough European privacy regulations that promise to bolster consumer rights come into effect on Friday.

Many campaigners around the world have hailed the new framework as a model for personal online protection in the internet era and called on other countries to follow suit.

The European Union General Data Protection Regulation (GDPR) replaces the bloc's existing patchwork of rules, which date back to 1995.

Companies that break the new laws face fines of up to 4 per cent of global revenue or €20 million (Dh85m), whichever is higher, as opposed to a few hundred thousand euros.

Critics, though, say the new rules are overly burdensome, especially for small businesses, while advertisers and publishers worry it will make it harder for them to find customers.

The GDPR gives consumers new rights, including how to find out what data is being held on them, and the powers to have that information deleted, unless a firm has a good reason to keep it.

But it also includes entirely new mandates, such as the right to transfer one's information from one service provider to another.

Activists are already planning to leverage the right to access one's data to turn the tables on large internet platforms whose business models rely on processing people's personal information.

That means companies are having to put in place processes for dealing with such requests and educating their workforce because any non-compliance could lead to stiff sanctions.

Studies suggest that many companies are not ready for the new rules.

The International Association of Privacy Professionals found that only 40 per cent of companies affected by the GDPR expected to be fully compliant by May 25.

A patchwork of European regulatory authorities, many of whom say they are under-funded, will oversee the new law, with a central body to resolve conflicts.

One key provision of GDPR, the right to data portability, is causing particular confusion.


Read more:

Data privacy: How will the new EU law affect the UAE?

New EU data protection law a milestone in privacy regulation

Facebook data saga boosts demand for ethical consultants, analysts say


Lawyers and experts say it is not clear how far the right for individuals to move their data from one service provider to another will stretch.

"The data portability rights are pretty significant and are going to take a while for people to figure out what the bounds of them are and how to go about complying with them," said David Hoffman, director of security policy and global privacy officer at Intel.

For example, music streaming services like Spotify create playlists for users based on their music preferences.

While a user seeking to exercise the data portability right would be able to move playlists he or she created, the situation becomes fuzzy if the playlists are created by the streaming service using algorithms.

Tanguy Van Overstraeten of Linklaters claimed the data portability right could raise issues of intellectual property.

"It's not obvious that you can necessarily migrate the data from your system to somebody else's system," he said.

On the business side, companies are rushing to renegotiate contracts with suppliers and service providers because GDPR increases their liability if something goes wrong.

Under the current rules it is generally the company that determines the purposes of data collection that is directly liable for any breaches.

GDPR changes that, and data processors which only process or store the data on behalf of their clients, for example cloud computing providers, will be directly liable for sanctions and could face lawsuits from individuals, and that needs to be reflected in contracts.

Patrick Van Eecke of law firm DLA Piper said: "After 20 years of data protection legislation in place, it's only now with the GDPR they (companies) start to think about 'what's my role in the whole story? Am I a data controller or data processor?'"