Pages

Monday, April 16, 2018

Risky Data: GDPR outside the EU

By Bill Moran and Rich Ptak


Image courtesy European Commission
GDPR (General Data Protection Regulations), the new privacy law enacted by the European Union, will come into full force in May 2018. The law is an attempt to enforce some ownership rights and protect the use of an individual's data collected by enterprises. This is the first of a series of articles on concerns and impact of GDPR on companies not physically based in the EU but who deal with EU residents directly (such as selling services or products), or indirectly, doing business with a firm with EU-resident customers. Note, we are not attempting to provide a detailed legal analysis. This is intended to be an advisory and awareness raising commentary for what appears to us as a potentially highly disruptive trend. 

A major driving force behind the GDPR mandates has been the documented abuse, along with the increasingly evident potential for misuse of the collected information. Perhaps best represented in the highly profitable sale of access to customer data by social-media giants with Facebook[1] being just one example.

Add to this growing, wide-spread public awareness of data abuse is the exposure of the casual, if not callus attitude of industry executives, data sellers, as well as buyers, convinced that profitable exploitation of the data is their exclusive right.



It is very likely that GDPR-type restrictions will be initiated and imposed by the US along with other non-EU national governments. The repeated disclosure of personal information obtained from corporate databases by hackers, lends further impetus to such efforts. Anyone doubting the risk can easily find evidence with a simple internet search[2].


GDPR’s initial focus is on returning the ownership and control of personal data to the individual. To that end, GDPR requires that the entity requesting data must obtain explicit, informed consent from the individual[3] for the collection and USE of the requested data. Both the request and consent must be visible and explicit. Specifically, it cannot be buried in a long, detailed statement of intent nor blanket user’s agreement nor in formal terms and conditions for licensing or other contractual arrangement. The expectation is that this will take some significant effort. There are many more details, which will be discussed in upcoming reports. First, let’s look at plans for enforcement.

GDPR establishes severe penalties for companies violating the individual’s data rights, e.g. a fine of up to 4% of an enterprise’s worldwide revenue for repeat offenders. For corporations, with 100s of billions of euros in revenue, this could equal billions of euros. The law applies to the data of both EU citizens and EU residents. Accountability extends to any company anywhere which maintains personal information on EU residents and/or citizens in its system. Personal information is very broadly defined as anything that allows identification of an individual person. This broad definition appears to include even a simple URL.

Our series of articles will focus on issues and actions of concern to companies which may or may not currently do business in the EU but have information on EU citizens/residents in their databases. There are also secondary players, such as suppliers to multinationals that receive from or exchange data about individual EU-residents. Such suppliers will likely be asked to adhere to GPDR requirements or requested to implement GDPR compliant data protection policies. An example is a US-based airline with (TSA mandated) information from a ticket purchase by an EU resident. Virtually any enterprise anywhere doing business with any EU resident falls under GDPR.

We will not focus on issues of the large multinationals with significant EU business who have staff, legal and technical, to address the issues. They are immediately subject to EU laws and have had several years to prepare.

Our next installment will discuss open questions and implementation risks. It will be posted in approximately two weeks.







[2] Searching “hacker obtain personal data from corporate information” returns 48.8 M results and 127M if searching “hacker personal data corporate data”


[3] In the case of a minor the parents or the legal guardian must consent. Here you can see how GPDR requirements will spawn severe problems when an organization tries to implement them. We are not necessarily opposed to the concept but significant effort may be required to implement. What exactly is the process to contact the parents and get this consent? If you ask the child who their parents are will they tell the truth or will they identify someone else who they know will give permission?
 

No comments:

Post a Comment