Alessio Balbo di Vinadio – Trainee at Clarke, Modet & Co. Spain
Following our previous publication on data processing, this article will address the issue of the first few small repercussions of the European Union General Data Protection Regulation (hereinafter ‘GDPR’) on the online world.
In that same aforementioned article, the author rightly stated that companies should hurry up for compliance, as time was running out and the road to achieving full compliance is a very long one (depending on the activity the company carries out, obviously!). One would think that now, approaching the end of the first decade of June 2018, most businesses have already taken care of the privacy matter, in light of its pivotal importance. Well, as we all know, that is not true (not for everyone, at least).
This article is intended to provide a useful overview of important aspects not only for European SMEs but also for Latin American companies operating in the European Union (EU), since one of the highlights of the new regulation is its broadened scope: it is applicable to all companies in the world that handle personal data from European customers, even if the processing takes place outside of the EU.
Preliminarily, it is worth noting that in contrast to the European Union, at present, Latin America has no harmonised legislation on data and privacy, due to different national legislations. This inevitably leads to different levels of protection, all of them still considerably lower than the EU standards (i.e. Guatemala, for instance, still lacks a specific legislation on data protection).
Bearing this in mind, the Latin American region is making serious efforts to respond to the demands of today’s global market. Notwithstanding the current situation, through the Ibero-American Data Protection Network (RIPD) some regional standards have been set as a reference for future implementations. There is still a long way to go and striking differences between countries yet remain. However, it must be acknowledged that Argentina, Mexico, Uruguay and Chile stand out for their domestic legislations on the matter, by virtue either of their age or the existence of local authorities specialized in data protection.
Indeed, all these relative progresses both national and regional, have been developed in accordance with the model established by the EU-GDPR. Therefore, these countries are likely aware of the need to bring Latin American legislation in line with Europe’s in order to attract foreign investment and create a better climate for European SMEs.
Let’s quickly analyse the GDPR: the main changes concern the personal data definition, the increased territorial scope, the penalties, the consent, the newly introduced rights (to access, to be forgotten, data portability), the immediate (within 72 hours) and compulsory data breach notification and, finally, the introduction of the Data Protection Officers (DPO – compulsory only in some cases). Furthermore, companies need to comply with the definitions of ‘Privacy by design’ and ‘Privacy by default’ when dealing with personal data.
Certainly, it can be affirmed that consent is at the very centre of this legislation. The Consent has to be “freely given, specific, informed and unambiguous”, “clearly distinguishable, intelligible and using clear and plain language”, according to, respectively, articles 4 and 7 of the GDPR.
We are only a few days away the entry into force of the new GDPR and the email boxes of half the planet have been filled up with newsletters, data processing requests, “We care about your privacy” statements and so forth. Notwithstanding, when analysing those emails, not all of them appear to be fully compliant and actually, most of them, have not achieved the ‘simplification’ requirement of privacy law, which was one of the many targets of the GDPR. In fact, emails with excessive material and written in “legalese” (technical-juridical language) do not allow the consent to be informed for the majority of the public, due to the extremely complex language used by the policies.
This new regulation has re-shaped the online (and offline) world, as we have moved from an (online) environment with full access to websites and limitless actions available, to almost completely blocked websites until full GDPR compliance is achieved. To this regard, in these days, when accessing websites, very disturbing banners do not allow the correct displaying of the website (or will ‘bother’ you until you click “I agree”). Additionally, if you are an ‘informed user’ and want to know the purposes of the processing of personal data on the accessed website, a “More information” button should be available (usually next to the “I agree” box) and you should be provided with full disclosure of the data processing carried out on such page. Normally, clicking on that button will redirect the user to a special page displaying the cookies implied (which can be essential, functional and targeting). That particular page is where your preferences will be saved by the “Controller” (the legal entity that determines the purposes of the processing) or the “Processor” (the legal entity that actually processes the data) so that each user’s data will (or will not) be processed and, especially, inform the user for what purposes.
Before the introduction of such law, privacy was almost “disregarded”, as it referred to lengthy and boring legislation with few implications. Nowadays, we can undoubtedly assert that there was – and there still is – indeed a big business on (personal) data used with no legitimate consent. The change derives from the concern that companies have developed about the newly regulated sanctions, in accordance with article 83(4) and 83(5) of the GDPR (20 Million or 4% of the global revenue – whichever is higher – for the harshest fine and 10 million or 2% of the annual global revenue – again, whichever is higher).
In recent days, we have seen many blocked non-EU websites, which, prior to the entry into force of the GDPR, were accessible for European users. Many businesses from all over the world are still not yet compliant with the GDPR, mainly due to the investment required, both economically and in terms of time-management. Full compliance will come with time and dedication, and hopefully, companies that process big amounts of personal data will stop seeing it as an asset and start approaching it in a more intimate and personal manner. The temporary blockage of the access from the EU (until full compliance is achieved) has to be merely momentary, as the GDPR is an issue that has to be addressed compulsorily, as the repercussions can be relevant (sanctions). An incentive to avoid permanent blockage of the website to EU customers would be to avoid losing a considerable market share (significant to most businesses – 508 million inhabitants). As a suggestion, quick GDPR compliance companies have found a niche market at the moment (i.e.Trustarc or OneTrust); these provide a minimum level of compliance and allow to ‘buy’ some time in order to align the business to the newly introduced legislation.
In short: how can we know if the EU GDPR applies to my company?
Due to its wide range, it appears to be difficult not to be affected by the GDPR, but let us summarize in which cases it will be mandatory to implement its measures:
- When the company tracks EU customers’ data;
- When the company is based outside the EU but provides goods and/or services (even when free of charge) to EU customers;
- EU-based companies’ data is collected and processed regardless of the place of collection. This means that EU SMEs operating in Latin America must comply, in any case, with the EU GDPR (even if the data comes from Latin-American customers only) due to the nationality of the company itself.
Generally, compliance is always suggested and carefulness is needed when processing any kind of personal data originating from the EU, so be carefully compliant!