Only good com­ing out of the new EU Data Pro­tec­tion Reg­u­la­tion

The Star (St. Lucia) - - REGIONAL -

EU Am­bas­sador to Bar­ba­dos, the Eastern Caribbean States, the OECS and CARICOM/CARIFORUM, Daniela Tra­macere

On 25 May 2018, the Euro­pean Union’s Gen­eral Data Pro­tec­tion Reg­u­la­tion (GDPR) en­tered into force. This is a tool de­signed to har­mo­nize data pri­vacy laws across Europe, to pro­tect EU cit­i­zens’ data pri­vacy and to trig­ger more se­cure in­di­vid­ual data pri­vacy amongst or­ga­ni­za­tions work­ing with per­sonal data of EU cit­i­zens. The GDPR not only ap­plies to stake­hold­ers lo­cated within the EU, but it also con­cerns com­pa­nies and/or pub­lic au­thor­i­ties that process and hold per­sonal data of EU cit­i­zens, even if the en­tity is based out­side of the EU.

The GDPR is in­deed ex­tremely timely as is­sues of pri­vacy and data se­cu­rity are truly global and not con­fined to the bor­ders of a con­ti­nent, let alone a sin­gle coun­try. As I said be­fore, at the core of the EU’s Gen­eral Data Pro­tec­tion Reg­u­la­tion is the safety of the per­sonal data of in­di­vid­u­als. I’m sure this is some­thing that Caribbean peo­ple cher­ish and value.

Last year many would re­call the Face­book/Cam­bridge An­a­lyt­ica rev­e­la­tions which made us re­alise how vul­ner­a­ble in­di­vid­u­als are and how much there is at stake from a col­lec­tive point of view, for the so­ci­ety as a whole, in­clud­ing for a func­tion­ing democ­racy and the in­tegrity of the elec­toral process. These and other de­vel­op­ments have re­minded all of us why it is im­por­tant to pro­tect per­sonal data as a cen­tral in­di­vid­ual right and a demo­cratic im­per­a­tive but also as an eco­nomic ne­ces­sity, be­cause with­out con­sumers’ trust in the way their data is han­dled, there can be no sus­tain­able growth of our in­creas­ingly data-driven econ­omy.

The GDPR is the EU’s re­sponse to these chal­lenges. It seeks to pro­tect the in­di­vid­ual’s pri­vacy as a fun­da­men­tal right, en­hance con­sumer con­fi­dence in how the pri­vacy and se­cu­rity of per­sonal data is guar­an­teed, par­tic­u­larly on­line, and also en­cour­age eco­nomic growth. I un­der­stand that the en­try into ap­pli­ca­tion of the GDPR has raised some ques­tions from sev­eral lo­cal or­ga­ni­za­tions and the pub­lic at large seek­ing to know more about the GDPR and its pos­si­ble im­pact.

The con­cerns raised re­late mainly to who is ex­pected to com­ply, what are the rules to be com­plied with and what is ac­tu­ally needed to be done to com­ply with the rules.

From the out­set, I would like to em­pha­size that the GDPR rules only ap­ply to per­sonal data about in­di­vid­u­als and do not over­see data about com­pa­nies or other le­gal en­ti­ties. How­ever, in­for­ma­tion in re­la­tion to one-per­son com­pa­nies may con­sti­tute per­sonal data where it al­lows the iden­ti­fi­ca­tion of a nat­u­ral per­son. In ad­di­tion, the ap­pli­ca­tion of the data pro­tec­tion reg­u­la­tion de­pends not on the size of a com­pany/ or­gan­i­sa­tion but on the na­ture of its ac­tiv­i­ties which present high risks for the in­di­vid­u­als’ rights and free­doms.

One very com­mon mis­un­der­stand­ing about the GDPR is that EU data pro­tec­tion rules will ap­ply out­side of the EU (‘ex­trater­ri­to­ri­al­ity’), to the col­lec­tion and pro­cess­ing of data of Euro­peans, any­where, any­time. Let me re­as­sure you, this is an ur­ban leg­end! To use an ex­am­ple, a ho­tel in the Caribbean will not be sub­ject to the GDPR for the sim­ple rea­son that it is host­ing some Euro­pean tourists. The reg­u­la­tion clar­i­fies that, for the GDPR to ap­ply, some strict con­di­tions have to be met: either the pro­cess­ing op­er­a­tion in ques­tion takes place on Euro­pean soil, within the EU ter­ri­tory, or the busi­ness op­er­a­tor specif­i­cally tar­gets con­sumers in the EU. By con­trast, the mere fact that an Euro­pean would for ex­am­ple visit a Caribbean web­site and de­cide to book a ho­tel room or buy a tour is not suf­fi­cient to make the pro­cess­ing of data in­volved in that trans­ac­tion fall within the GDPR.

Con­trary to the per­cep­tion that the GDPR is a new EU ini­tia­tive, let me make it clear that the GDPR is an en­hance­ment of the pre­vi­ous EU Data Pro­tec­tion Di­rec­tive of 1995. There­fore, for­eign com­pa­nies do­ing busi­ness in Europe, in­clud­ing of course Caribbean com­pa­nies, that were ben­e­fit­ting from the 1995 Di­rec­tive will con­tinue to do so with the ad­di­tional ben­e­fits in­tro­duced with the new GDPR.

Let me men­tion the most rel­e­vant ones: 1. Com­pa­nies can now of­fer their goods and ser­vices in a har­mo­nized and sim­pli­fied reg­u­la­tory en­vi­ron­ment in the EU. In­stead of hav­ing to deal with 28 EU Mem­ber States’ dif­fer­ent data pro­tec­tion laws and 28 dif­fer­ent reg­u­la­tors, since 25 May one set of rules ap­plies to their pro­cess­ing op­er­a­tions and is in­ter­preted in a uni­form way through­out the EU. 2. Obli­ga­tions to no­tify data pro­cess­ing op­er­a­tions or to ob­tain the prior-au­tho­riza­tion (as it was re­quired un­der the pre­vi­ous reg­u­la­tory regime) from data pro­tec­tion au­thor­i­ties have been scrapped. 3. The GDPR has been adapted to the needs of the dig­i­tal econ­omy. This equates to in­creased le­gal cer­tainty and a sig­nif­i­cant re­duc­tion in com­pli­ance costs and red tape. Again, some­thing par­tic­u­larly im­por­tant for for­eign op­er­a­tors do­ing busi­ness in Europe, es­pe­cially small and medium sized com­pa­nies. 4. Fi­nally, co-reg­u­la­tory tools, such as codes of con­duct or cer­ti­fi­ca­tion mech­a­nisms, are be­ing in­tro­duced to help com­pa­nies man­age and demon­strate com­pli­ance. There­fore, the so-called “risk- based ap­proach” that is at the core of the GDPR means that con­trollers that limit the im­pact of their pro­cess­ing op­er­a­tions on pri­vacy will not be sub­ject to a num­ber of obli­ga­tions.

Sim­ply put, the GDPR is based on a mod­ern ap­proach to reg­u­la­tion which re­wards new ideas, meth­ods and tech­nolo­gies to ad­dress pri­vacy and data se­cu­rity.

What is also very im­por­tant to stress is that these de­vel­op­ments re­lat­ing to the GDPR are not lim­ited to Europe but are part of a more global trend of adopt­ing new or up­dat­ing ex­ist­ing data pro­tec­tion legislation to har­ness the op­por­tu­ni­ties of­fered by the global dig­i­tal econ­omy and re­spond to the grow­ing de­mand for stronger data se­cu­rity and pri­vacy pro­tec­tion.

To­day more than 120 coun­tries have data pri­vacy laws in place. Many of the new or mod­ernised laws tend to be based on com­pre­hen­sive legislation, rather than sec­to­rial rules, as data needs to move across in­dus­tries and sec­tors. And this con­ver­gence is also tak­ing place in the Caribbean. Just to men­tion a few ex­am­ples: re­cently a new pri­vacy law en­tered into force in Ber­muda, while in Bar­ba­dos the pub­lic con­sul­ta­tion on a draft pri­vacy bill has al­ready taken place and an amended bill is ex­pected to be pre­sented to Par­lia­ment soon. Sim­i­lar de­vel­op­ments are tak­ing place in Ja­maica as “An Act to Pro­tect the Pri­vacy of Cer­tain Data and for Con­nected Mat­ters” was in­tro­duced in the Ja­maican House of As­sem­bly in Oc­to­ber last year. In Latin Amer­ica, a set of Ibero-Amer­i­can data pro­tec­tion stan­dards have re­cently been adopted to pro­mote re­gional co­op­er­a­tion in this field and have served as a source of in­spi­ra­tion for sev­eral leg­isla­tive ini­tia­tives. Thus Brazil has adopted its first com­pre­hen­sive data pro­tec­tion legislation and, Chile has cre­ated an in­de­pen­dent data pro­tec­tion au­thor­ity. Out­side of the re­gion, Asian coun­tries such as In­dia, In­done­sia and Thai­land are fol­low­ing the path opened by Japan and Korea some time ago, and are also leg­is­lat­ing on data pro­tec­tion.

And in a world that is too of­ten char­ac­terised by un­cer­tainty and un­pre­dictabil­ity, this de­vel­op­ing con­ver­gence in pri­vacy stan­dards is very pos­i­tive, for sev­eral rea­sons. First, this trend of­fers new op­por­tu­ni­ties to fa­cil­i­tate data flows and thus trade, at both re­gional and global lev­els. In fact, hav­ing con­ver­gent data pro­tec­tion reg­u­la­tions in the Caribbean would help with eas­ier trans­fer­ral and shar­ing of data se­curely within the re­gion and be­tween the EU and this re­gion, con­tribut­ing to a more in­te­grated busi­ness en­vi­ron­ment that can boost trade and in­vest­ment.

Se­condly, given that com­pa­nies in­creas­ingly op­er­ate across bor­ders and pre­fer to ap­ply a sim­i­lar set of rules in all their busi­ness op­er­a­tions world­wide, be­ing part of this global trend would help the Caribbean economies, con­trib­ute to an en­vi­ron­ment con­ducive to di­rect in­vest­ment and im­prove trust be­tween com­mer­cial part­ners.

Thirdly, hav­ing com­mon data pro­tec­tion rules can also greatly fa­cil­i­tate the ex­changes of data be­tween pub­lic au­thor­i­ties, in­clud­ing in the con­text of law en­force­ment co­op­er­a­tion.

The Euro­pean Union is com­mit­ted to pro­mot­ing and fur­ther build­ing on that con­ver­gence with coun­tries or re­gional or­gan­i­sa­tions that share sim­i­lar val­ues. This can in­clude the adop­tion of a so-called “ad­e­quacy find­ing” by the EU, en­sur­ing the free, un­in­hib­ited flow of data be­tween the EU and the con­cerned coun­try (es­sen­tially as­sim­i­lat­ing that coun­try with Mem­ber States of the EU when it comes to data flows). And these de­ci­sions can bring very sig­nif­i­cant mu­tual ben­e­fits. Re­cently, the EU and Japan an­nounced the con­clu­sion of a re­cip­ro­cal ad­e­quacy ar­range­ment thereby cre­at­ing one of the world’s largest ar­eas of free and safe data flows. We are cer­tainly in­ter­ested in ex­plor­ing that pos­si­bil­ity with other in­ter­na­tional part­ners.

It is my hope that we can have di­a­logue with the rel­e­vant au­thor­i­ties and con­cerned stake­hold­ers in the com­ing months on this very im­por­tant is­sue. As in the EU we have gone re­cently through a process of re­form of our data pro­tec­tion rules, we are avail­able to share our ex­pe­ri­ence and fur­ther dis­cuss these is­sues with all in­ter­ested par­ties.

EU Am­bas­sador Daniela Tra­macere says the GDPR is the EU’s re­sponse to re­cent data pro­tec­tion chal­lenges in the dig­i­tal di­men­sion.

Newspapers in English

Newspapers from Saint Lucia

© PressReader. All rights reserved.