Customer data clampdown as new EU data laws kick in
Customer data clampdown
NEW EUROPEAN privacy regulations came into effect on Friday that will force companies to be more attentive to how they handle customer data.
The ramifications were visible from day one, with major US-media outlets – including the LA Times and Chicago Tribune – forced to shutter their websites in parts of Europe.
People in the bloc have been bombarded with e-mails asking for their consent to keep processing their data, and a privacy activist wasted no time in taking action against US tech giants for allegedly acting illegally by forcing users to accept intrusive terms of service or lose access.
“You have to have a ‘yes or no’ option,” Austrian Max Schrems said before filing complaints in European jurisdictions. “A lot of these companies now force you to consent to the new privacy policy, which is against the law.”
The EU General Data Protection Regulation (GDPR) replaces the bloc’s patchwork of rules dating back to 1995 and heralds an era where breaking privacy laws can result in fines of up to 4 percent of global revenue or €20 million (R290.32m), whichever is higher, as opposed to a few hundred thousand euros.
European privacy regulators signalled they were ready to flex their muscles, but were not “sanctioning machines”.
“This (forced consent) is an issue that we will be looking at immediately, and work is already under way,” said Helen Dixon, head of the Irish Data Protection Commissioner, which will be responsible for policing US giants Facebook and Google, among others.
Many privacy advocates have hailed the new law as a model for personal data protection in the internet era and called on other countries to follow the European model.
Critics say the new rules are overly burdensome, especially for small businesses, while advertisers and publishers worry it will make it harder for them to find customers.
The GDPR clarifies and strengthens existing individual rights, such as the right to have one’s data erased and the right to ask a company for a copy of one’s data.
But it also includes entirely new mandates, such as the right to transfer data from one service provider to another and the right to restrict companies from using personal data.
“It’s a gradual and not a revolutionary kind of thing… But for many companies it was a huge wake-up call, because they never did their homework. They never took the data protection directive seriously,” said Patrick van Eecke, partner at law firm DLA Piper.
Activists are planning to use the right to access their data to turn the tables on internet platforms, whose model relies on processing people’s personal information.
Stiff sanctions That means companies have had to put in place processes for dealing with such requests and educating their workforce, because any non-compliance could lead to stiff sanctions.
Studies suggest that many companies are not ready for the new rules. The International Association of Privacy Professionals found that only 40 percent of companies affected by the GDPR expected to be fully compliant by Friday.
It is unclear how many provisions of GDPR will be interpreted and enforced. European regulatory authorities, many of whom say they are underfunded, will oversee the new law, with a central body to resolve conflicts.
One key provision of GDPR, the right to data portability, is causing particular confusion.
“I think the data portability rights are significant,” said David Hoffman, associate general counsel and global privacy officer at Intel. – Reuters/African News Agency (ANA)