Other issues in this category (14)
Data protection in Europe
Wednesday, July 18, 2018
GDPR (General Data Protection Regulation 2016/679, dated April 27, 2016) caused quite a stir in the business world. The problem is that GDPR breaks the rule that all previous data-protection legislation complied with. Under the new regulations, all companies worldwide are required to protected the data of EU citizens and residents even if they don’t operate in the EU and are completely unaware of the fact that some of their customers reside in the EU or that some of the data at their disposal belongs to EU citizens.
Is there a way to determine that a user is an EU citizen?
In short, no. Well, you can ask, but users could lie. You could also use IP geo-targeting, but that isn’t always reliable: people can use a proxy server, a satellite communication channel, and so on. Unfortunately, you can’t determine a person's location with 100% certainty.
You can ignore a fine if your company is registered outside the EU. But the regulators forestalled that scenario: a company is required to have a designated representative to conduct business in the EU. Yes, you read that correctly. Apparently, this is the most aggressive change that the European Union could impose: companies are indeed obligated to have a legal representative in the EU. If your company already operates on EU territory, you have a designated representative. If not, you will have to acquire one. Some companies are already offering a paid service to help with that.
So if your company gets fined, your representative will be notified about it. Most probably, you cooperate with that company under some sort of an agreement, and they have someone representing them in your country. Under the agreement, you reimburse the representative in your country for all the fines collected through your company's representative in the EU. Thus, you can either wage court battles with your own representative in your country or pay the fines.
And these people criticize our data protection legislation!
Russian companies processing EU citizens' personal information as part of their online sales (e.g., railways, airlines, hotels, etc.) also become subject to the GDPR and must comply with the personal-data-processing regulations.
What kind of data must be protected under the new legislation?
Personal data may include any information that can potentially be used to determine a person's identity. Such information includes data relating to an identified or identifiable natural person (the “data subject”); an identifiable natural person is someone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (article 4, clause 1). This is a broad definition and it clearly indicates that even an IP address can be regarded as personal data.
The regulations also establish special personal data categories. It is prohibited to reveal the following during the processing of personal data: a natural person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, and trade union memberships. This data processing also includes the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, and data related to a natural person's sex life or sexual orientation (article 9).
Essentially, these requirements are identical to those of Russian Federal Law 152. By the way, the Russian law has been in effect since 2006.
Before you can use data provided by individuals, you must obtain their consent. That's not about showing good manners—that's the law.
After May 25, it became illegal to send emails prompting users to agree to receive a newsletter. Any addresses you've accumulated without user consent must be regarded as lost. Messages of this kind are treated as spam. You are not allowed to send such emails to natural persons.
Spam has been outlawed! Will spammers be fined too?
Let's assume that you have a blog and a few of your friends are registered visitors.
The GDPR doesn't discriminate between a hobby and a business, and that seems right to me. It doesn't matter whether you regard your project as a hobby or not. As soon as you start collecting personal data belonging to EU natural persons, you will have to comply with the legislation.
The similar Russian law doesn't differentiate between individuals and companies, but until now no one has paid particular attention to what ordinary users have been doing. And then the GDPR arrived…
Ironically, anything can become “personal data”, even a password—many people use their own names, aliases, and postal addresses as their passwords.
I can post information about myself (or someone else) on an anonymous forum. So any information submitted by users potentially contains personal data.
And if one chooses to ignore the regulations?
Under the GDPR, fines can reach 20 million EURO or 4% of a company's annual income.
The Anti-virus Times recommends
Since the law has been adopted, we'll have to comply with it. We have no other choice.