US cloud providers take note – Europe’s new data regime begins in 2018

SUMMARY:

Two years and counting if US businesses want to do business in Europe as new tough data protection rules get the go-ahead from legislators.

privacy-pleaseFollowing the sending-back-to-the-drawing-board for the so-called Privacy Shield by Europe’s data protection authorities yesterday, some better news for advocates of stronger data privacy legislation today as the European Parliament has voted to pass the new General Data Protection Regulation (GDPR).

The main impact will be the imposition of a strong data protection regime for Europe’s 500 million citizens, replacing a patchwork of national rules that pre-date the rise of the internet age. Green MEP Jan Philipp Albrecht, who steered the legislation through the European Parliament, says:

The general data protection regulation makes a high, uniform level of data protection throughout the EU a reality.

European Commissioner for Justice, Consumers and Gender Equality Věra Jourová said:

The new rules will ensure that the fundamental right to personal data protection is guaranteed for all. The General Data Protection Regulation will help stimulate the Digital Single Market in the EU by fostering trust in online services by consumers and legal certainty for businesses based on clear and uniform rules.

The new rules will come into force on 4 May 2018 and will have serious implications for both EU and non-EU companies. The new rules include:

  • penalties of up to €100 million, or 4% of annual worldwide turnover, whichever is greater.
  • increased territorial scope to cover anyone doing business in the EU regardless of their headquarters location.
  • tighter requirements for obtaining valid consent to the processing of personal data.
  • enhanced restrictions on profiling and targeted advertising.
  • new data breach reporting obligations.
  • direct legal compliance obligations for “data processors”.
  • extended data protection rights for individuals, including the odious “right to be forgotten” clause.
  • processing companies—such as third-party vendors or technology service providers—are now subject to regulation and privacy compliance.

Albrecht explains:

The new rules will give users back the right to decide on their own private data. Businesses that have accessed users’ data for a specific purpose would generally not be allowed to transfer the data without the user being asked. Users will have to give clear consent for their data to be used. Crucially, firms contravening these rules will face fines of up to 4% of turnover, which could imply billions of Euro for the major global online corporations.

The new rules will give businesses legal certainty by creating one common data protection standard across Europe. This implies less bureaucracy and creates a level playing field for all business on the European market. Under the new rules, businesses would also have to appoint a data protection officer if they are handling significant amounts of sensitive data or monitoring the behaviour of many consumers. The directive on data protection for police and justice authorities delivers real progress and will provide a basis for better cooperation to fight terrorism and crime.

It’s a good day for Viviane Reding, MEP and former vice-president of the European Commission, who first proposed the changes in 2012 and has been fiercely antagonistic about US data transfer issues. She said:

This is a historic day for Europe. This reform will restore trust in digital services today, thereby reigniting the engine for growth tomorrow. There can be no freedom without security, and no security without freedom. Today’s concomitant adoption of these three legislations sends a strong signal that national security and data protection can and must go hand in hand.

Today’s vote also means that companies around the globe doing business in Europe must now start to put their data protection houses in order with just over 2 years to go. That’s going to mean a rich pay-seam for lawyers and security/compliance experts to tap into. Andrew Rogoyski, VP Cyber Security Services at CGI, warns:

The starting gun has fired, companies have two years to get their handling of personal data into order or they face the possibility of punitive fines and public humiliation. Organizations need to look at any of their contracts for IT services that utilize personal data and that will extend over the 2018 boundary when the regulation is expected to come into full force.

Companies should be reviewing what personal information they hold and looking at how it is protected, right now. They need to have people, processes and technology in place.

And this needs to be a board-level issue, not a tech one, he adds:

The first mistake that organizations make is to assume this is just an IT issue, it’s not. It is a very significant business risk and needs to be dealt with at senior leadership level. Many senior leaders simply don’t understand that their businesses have become digital in nature, dependent on IT systems, the Internet and the use of what is quite often sensitive personal data.

And just in case any UK firms think that things might be different if a Brexit results from the 23 June referendum, think again. Rogoyski states:

Obligations under this law will be unlikely to be impacted by a Brexit – there is no market in providing lowest common denominator handling of personal data and, in any case, if UK companies wish to operate in Europe, they’ll have to comply with GDPR.

My take

750 working days and counting…tick, tick, tick