A new strict EU rule on how personal data is used will have a knock-on effect around the world
MADRID: If you haven’t already noticed, over the next for weeks, expect to receive a lot of emails from companies or websites that you’ve had contact with in the past, asking you to confirm your personal details. And those emails too should be offering you options on unsubscribing or granting permission to the way your personal detail is stored.
If you’re a regular user of Facebook, for example, you might have already had to click through various options and explanations of privacy.
So why this sudden flurry and worry over your online privacy rights?
Come May 25, the European Union’s strict General Data Protection Regulation (GDPR) comes into effect and covers anyone living in Europe. But it goes further, forcing any company that has dealings with anyone living in the EU — regardless if they are the citizen of any EU nation or not — to take online data privacy and protect far more seriously. And if they fail to comply, they face fines of up to €20 million (Dh89.6 million) or 4 per cent of their gross profit.
While most readers of Gulf News don’t live in Europe, companies doing business there can’t take the risk of separating EU-resident and non EU-resident customers — hence why GDPR is a global gamechanger.
“While legislation protecting privacy and personal data has existed in Europe for some years now, the new GDPR is certainly significant as it introduces strict data privacy rules to be applied in the recent era of big data, social media and the internet of things,” Dr Maria Tzanou, a lecturer in law, online data and privacy at Keele University in the United Kingdom, told Gulf News. “It also contains substantive penalties for non-compliance and is a regulation, which means that from 25 May, it will have an immediate binding effect in all the EU member states.”
Companies that collect, store and process personal data online will have to comply with a long set of rules under the GDPR,” Dr Tzanou said. “For example, they must process personal information in a transparent way, namely they must provide clear privacy notices if they obtain personal data, explaining for what purposes they process these, with whom they share them and if they transfer them outside the [European Economic Area] countries,” she told Gulf News. “The GDPR has also strengthened the consent requirement. This means that companies can collect and process data on the basis of the freely given, informed and unambiguous consent of the individuals to whom the personal data relate. For instance, consent based on pre-ticked boxes will not be valid.”
Instead, companies should collect data for specified, explicit and legitimate purposes and not further process them in a manner that is incompatible with those purposes; they should collect no more data than required for the purposes of the processing; keep them for no longer than necessary; and, ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss.
“They should not make decisions that significantly affect the data subject based solely on automated processing, including profiling,” she said.
So, how will GDPR change online activities for people?
“The GDPR grants several rights on individuals to protect their personal data both online and offline,” Dr Tzanou said. “They have the right to access their data, to rectify them if they are inaccurate or incomplete, to request their erasure, including a ‘right to be forgotten’, to object to their processing, to object to their data used for direct marketing purposes and the right to data portability, namely to move personal information from one online platform to another.”
The GDPR is far-reaching, and it also applies to companies that process the data of persons in the EU — even if the companies themselves are not established there — if these companies offer goods or services to EU persons or monitor their behaviour.
“The general rule is that personal data cannot be transferred to third countries outside the EU if these do not ensure an adequate level of protection of personal information,” she said.
But will GDPR work?
“The future will show whether it will be a successful measure, but I want to be optimistic,” Dr Tzanou said. “I think it strikes a good balance between ensuring the protection of personal data in the online environment while acknowledging the benefits of modern technologies.”