In the EU, the new regulations for the protection of PD

In late May, the European Union plans to tighten the requirements for the processing of personal data. More about the innovations and reactions of IT companies - under the cut.
In the EU, the new regulations for the protection of PD

/photo Stock Catalog CC

What is GDPR

General Data Protection Regulation is a data protection regulation, which is designed to toughen, including regulation of the PD scope within the EU. It will enter into force on May 2? 2018 and will replace Data Protection Directive, the directive adopted in 1995.
The GDPR will concern any companies and organizations that somehow process PD citizens of the EU (including American IT corporations). Based on this situation, the US Department of Commerce in July 2016 has developed mechanism EU-US Privacy Shield (protection of PD in the framework of US-EU cooperation). Its task is to help American companies to align their activities in the EU territory with local directives on working with PD. In October 201? the EU-US Privacy Shield was approved the EU itself, and they were interested in more than 2000 companies, including Google, Microsoft and Facebook. However, the European observers more than once criticized this mechanism for lack of rigidity in the regulation of work with PD.

How GDPR works

The Regulations are binding. Penalties in case of non-compliance - up to 20 million euros or 4% of the company's annual turnover, which will be determined on the basis of revenue not only in the EU, but worldwide. The regulator intends to apply fairly general provisions of the regulations in the interests of EU residents - companies are most likely not able to find any loopholes here. For example, liability extends to any organization with a staff of over 250 people, but does not exclude a company with fewer employees if business activity poses a risk to the rights and freedoms of EU citizens. This formulation is potentially affects any company.
The law identifies two categories of organizations: data controllers and data processors. Operators are companies that store AP. Handlers are any companies that use this data. The Regulations imposes the same responsibility on both categories. If a company uses a third-party service that does not meet the requirements of the GDPR, it automatically does not comply with the requirements of the regulations. Thus, the introduction of a new regulation will mean a re-examination of the business relationship with cloud providers, SaaS start-ups and payment organizations.
Study of PwC has shown a serious attitude of US companies to the GDPR - 68% of companies plan to spend from 1 to 10 million dollars to meet new requirements, and 9% of organizations - more than $ 10 million. By Ovum report, two-thirds of US companies believe that the new regulations will force them to reconsider their strategy of working in the EU. At the same time, most American companies say that European businesses get a competitive advantage, and Americans will be fined. Consulting agency Oliver Wyman predicts that the EU can collect at least $ 6 billion in fines for the first year from the date of the new regulations.

Google's reaction to GDPR

The new regulations forced Google to make adjustments to the work of almost all of its services. For example, for AdWords and Google Analytics there were updated user agreements that warn about the requirements of the GDPR.
In cases where Google and the client company using its applications act as independent data operators, Google will update the current agreements, as well as will enter new, so-called "inter-operator" agreements (controller-contoller terms). The essence of these inter-operator agreements is reduced to the fact that both operators (Google and the client company) each in their own discretion dispose of the PD in the framework that meets the requirements of the GDPR.
By opinion PageFair, a similar agreement is fraught with companies that use Google services. After all, in this case, the IT giant can access the PD, collected by the client company. In this case, the client company will not be able to notify its users about how their PD will be used. Given that the GDPR allocates responsibility between all information handlers, other processors are at risk of breaking the contract if Google abuses its position.
Also to meet the requirements of the GDPR Google will run service of non-personalized advertising. Using such a service, customers will be able to advertise products without resorting to collecting their users' PD.

Facebook response to GDPR

On your Facebook site stated On the ongoing work to meet the requirements of the GDPR. The company expanded the data protection department in Dublin, and also made it the chief for coordinating all efforts in this direction. For example, at the end of March, Facebook closed "Partner categories" (Partner Categories). They allowed site advertisers to use PD collected by large third-party operators Datalogix, Epsilon, Acxiom and BlueKai.
However, it is still unclear whether Facebook will meet the requirements of the GDPR globally or will try to meet the requirements exclusively in the European segment. Last week Mark Tsukeberg in the phone interview Reuters refused to introduce changes to the platform everywhere and noted that the company is working to ensure that part of the GDPR requirements work on a global scale, but declined to comment on which part is being discussed.
In open In a letter to Zuckerberg, a number of American and European consumer protection organizations demanded that the company "confirm compliance with the requirements of the GDPR at the global level, and also provide a detailed plan of the events held in connection with this." At the moment, there was no official response from Facebook.
More materials in the First blog about the corporate IaaS:
Protection of personal dаta: European approach
Testing cloud security: fixing security problems
Features of placement of state information systems in the cloud
Legal issues of using cloud technologies by financial organizations
Cloud IT infrastructure in the implementation of international projects
+ 0 -

Add comment