In late May, the European Union plans to tighten the requirements for the processing of personal data. Read more about innovations and reactions of IT companies - under the cut.
/ photo Stock Catalog CCWhat is GDPR
The General Data Protection Regulation is a data protection regulation that is intended to tighten, including regulation of the scope of PD in the EU. It will take effect on May 25, 2018 and will replace the Data Protection Directive, a directive adopted in 1995.
')
The GDPR will affect any companies and organizations that in one way or another process EU citizens (including American IT corporations) that process PDs. Based on this situation, the US Department of Commerce back in July 2016
developed the EU-US Privacy Shield mechanism (protection of PD in the framework of US-EU cooperation). Its task is to help US companies to bring their activities in the EU into line with local directives on working with PD. In October 2017, EU-US Privacy Shield was
approved by the EU itself, and
more than 2,000 companies, including Google, Microsoft and Facebook, became interested in it. However, European observers
have repeatedly criticized this mechanism for the lack of rigidity in regulating work with PD.
How does GDPR work?
The regulations are binding. Penalties in case of non-compliance -
up to 20 million euros or 4% of the company's annual turnover, which will be determined on the basis of revenue not only in the EU, but throughout the world. The regulator intends to apply sufficiently general provisions of the regulation in the interests of the EU residents - companies most likely will not be able to find any loopholes here. For example, the responsibility applies to any organization with a staff of over 250 people, but does not exclude companies with a smaller number of employees if the business activity poses a risk to the rights and freedoms of EU citizens. Such wording
potentially affects any company.
The law distinguishes two categories of organizations: data operators (data controllers) and data processors (data processors). Operators are companies that store PD. Handlers are any companies that use this data. The regulation places the same responsibility on both categories. If the company uses a third-party service that does not meet the requirements of the GDPR, it does not automatically comply with the requirements of the regulations. Thus, the introduction of new regulation will mean a revision of the relationship of business with cloud providers, SaaS-startups and payment organizations.
The PwC
study showed a serious attitude of American companies to the GDPR - 68% of companies plan to spend from 1 to 10 million dollars to meet the new requirements, and 9% of organizations - more than 10 million dollars. According
to the Ovum report, two thirds of US companies believe that the new regulation will force them to reconsider their work strategy in the EU. At the same time, most American companies say that European businesses gain a competitive advantage, and Americans will be fined. Consulting agency Oliver Wyman
predicts that the EU can collect at least $ 6 billion in fines for the first year since the introduction of the new regulations.
Google's response to GDPR
The new regulations forced Google to make adjustments to the work of almost all of its services. For example, user agreements have been
updated for AdWords and Analytics, warning about the requirements of a GDPR.
In cases where Google and the client company using its applications act as data operators independent of each other, Google will update the current agreements and also
introduce new, so-called “inter-operator” agreements (controller-contoller terms). The essence of these inter-operator agreements comes down to the fact that both operators (Google and company-client) each in their own discretion dispose of PD in the framework that meets the requirements of GDPR.
According
to PageFair, such an agreement is fraught for companies using Google services. Indeed, in this case, the IT giant can get access to PD, which collects the client company. In this case, the client company will not be able to notify its users about exactly how their PD will be used. Given that GDPR distributes responsibility among all information processors, other processors risk breaking the contract if Google abuses its position.
Also, to meet the requirements of the GDPR, Google
will launch a non-personalized advertising service. Using such a service, customers will be able to advertise products without resorting to collecting data on their users.
Facebook reaction to GDPR
On its website, Facebook
announced ongoing work to meet the requirements of the GDPR. The company expanded the data protection department in Dublin, and also made it central to coordinating all efforts in this direction. For example, at the end of March, Facebook
closed the "Partner Categories" (Partner Categories). They allowed site advertisers to use PDs collected by large third-party operators Datalogix, Epsilon, Acxiom and BlueKai.
However, it is still unclear whether Facebook plans to meet the requirements of the GDPR globally or will try to comply with the requirements exclusively in the European segment. Last week, Mark Tsukeberg, in a telephone
interview with Reuters, refused to introduce changes to the platform everywhere and noted that the company is working to ensure that part of the requirements of GDPR work globally, but refused to comment on which part.
In
an open letter to Zuckerberg, a number of American and European consumer protection organizations demanded that the company "confirm its compliance with the requirements of GDPR at the global level, as well as provide a detailed plan of the events held in connection with this." At the moment, the official response from Facebook has not been received.
More material in the First Corporate IaaS Blog: