Outside of dedicated circles, most laws and regulations don’t really get highlighted in the news. That said, those legislative initiatives that seek to make big changes in one or more sectors do get the air time, but even then, they can be poorly explained due to lack of time for the respective news segment.
One such legislative initiative that deserves a closer look is being lined up to take effect next year in the European Union. It is known as the GDPR, and in the following paragraphs, we’ll take a look at what it is, what on earth it does, and what steps companies doing business in the European block can and are taking to comply with it.
What is the GDPR?
Back in January of 2012, the European Commission – the executive branch of the EU – put forth its proposal for a reform of the Union’s data protection rules. Basically, this called for a better way for companies operating in the EU to handle the personal data of their customers. After further discussions, an agreement was reached between the European Parliament, Commission, and Council, on December 15, 2015.
This newly agreed upon reform – which was adopted by the European Council on April 8, 2016, and by the European Parliament on April 14, 2016 – has, as per the official press release, two so-called instruments:
The General Data Protection Regulation will enable people to better control their personal data. At the same time modernised and unified rules will allow businesses to make the most of the opportunities of the Digital Single Market by cutting red tape and benefiting from reinforced consumer trust.
The Data Protection Directive for the police and criminal justice sector will ensure that the data of victims, witnesses, and suspects of crimes, are duly protected in the context of a criminal investigation or a law enforcement action. At the same time more harmonised laws will also facilitate cross-border cooperation of police or prosecutors to combat crime and terrorism more effectively across Europe.
As can be seen, the General Data Protection Regulation (GDPR) is the part of the reform which affects pretty much every citizen in the EU, and by extension the businesses that operate in the Union. However, beyond the specific scope differences between the GDPR and the Data Protection Directive, there is another fundamental difference that separates the two:
- a regulation is legally binding and must be applied in full in every member state
- a directive is a legislative act which outlines a goal that needs to be reached by all EU states, but it’s up to each individual country how said act is implemented or the goal is reached
The first is the date at which the law comes into force and is “usually expressed as the 20th day following publication of the Regulation in the Official Journal of the European Union”, which means that “the EU rules have been adopted and published - thus producing legal effects -, but are not necessarily mandatory”. The second, which is the date of applicability, is when the rules become mandatory. The Directive came into force on May 5, 2016 and needs to be transposed into national law by May 6, 2018. The GDPR however, came into force on May 24, 2016, and will be applicable from May 25, 2018 onwards.
Now that the differences between the two have been outlined, let’s see what effects the GDPR will have on EU citizens and the handling of their personal data.
What stipulations does the GDPR have, and what are the consequences of non-compliance?
Among other things, GDPR clearly states that citizens have a “right to be forgotten” – a slightly primitive version of which actually appeared in a court case three years ago - , a right to know whether or not their data has been hacked, as well as the right to data portability (the ability to more easily transmit personal data between service providers). While the provisions of the Regulation apply to whichever company does business in the Union, whether it is based in the EU or not, there are certain situations in which the Regulation does not apply, such as:
(16) This Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security. This Regulation does not apply to the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union.
However, in the instances in which GDPR can be applied, and if a company is found to be in breach of its stipulations, there are two levels of so-called “administrative fines”. Depending on the severity of the situation, a company can be fined “up to 10,000,000 EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher”, according to paragraph 4 of Article 83. Paragraph 5 of the same article states that in more severe cases, a company can receive a fine of “up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher”.
With such a serious penalty for breaching the Regulation’s terms, the natural question in the minds of citizens, but probably more importantly businesses, becomes:
What solutions are there which are working towards GDPR compliance?
While Microsoft has been quite vocal about its intention to be GDPR compliant by the time the law becomes applicable, committing to doing so publicly, other companies have also stated their support for the EU’s reform.
Since encryption is outlined as one of the methods to ensure compliance, companies such as end-to-end encrypted storage service Tresorit have come out and said that while encryption does not “solve all GDPR requirements alone”, it “helps businesses worry less about managing data in the cloud”.
Other firms which offer encrypted communication platforms include Wire – makers of the eponymous messenger app – which stated that it, along with its similarly privacy-minded partners can “help legislators and businesses understand the advantage of end-to-end based solutions in securing consumer and business data”. Another encrypted messenger provider, Threema, called GDPR “a step in the right direction”.
In terms of encrypted email communication, Tutanota called this privacy reform “a chance for businesses to join the privacy movement”, noting the rapid rise of said movement across the continent, in light of massive data breaches in recent years. Another encrypted email provider, ProtonMail said of GDPR that it is a “long overdue update to the regulatory framework surrounding data protection”.
On the subject of how far companies need to go to ensure they are indeed complying with this regulation, secure mobile calling service CryptTalk said that “organisations will have to secure all communication channels with customers. Emailing, file sharing, messaging and voice calls should be protected by the same high standards.”
Finally, encrypted email service Lavabit stated it anticipated that the “unifying regulation in the EU will be echoed around the world and hopefully drive encrypted policy measures within the US in the near future”.
The EU's General Data Protection Regulation has been put forth to strengthen the citizens' right to privacy and transparent disclosure of personal data breaches in what is being called the "Digital Single Market".
While there's still about a year left until GDPR's effects can be fully seen, it will be interesting to watch what changes this legislation will inspire in the future.