The European Union Shakes the Regulation on Privacy
The new regulation with global repercussions will act from May 25
El Financiero (Costa Rica) June 2nd, 2018 Juan Ignacio Guzmán Fernández firstname.lastname@example.org
The data analysis aims to convert them into information. The fact that these data are considered significant does not necessarily have to do with their size, but with the complexity to process them.
Today, having access to data is having the ability to generate new business opportunities. This has led to the term “mining,” which is the process of searching for valuable things in the middle of the data.
The data can be originated by the use of social networks, online purchases, transmission, and the sensors used in the Internet of Things (IoT). That is, all the interactions that electronic commerce and social networks produce.
In this framework, on May 25th, 2018, the General Data Protection Regulation (GDPR) came into effect in the countries of the European Union (EU), at a time when companies are undergoing transformation processes and digitalization, and where the data and information have a fundamental value for any entity.
What does it consist of?
The GDPR is a new regulation of privacy, considered radical by some sectors and necessary by others. It covers any business that processes information from EU residents, which will drastically affect the way data is accessed, stored and used, even for companies outside the European Union that do business in that economic region.
The application of the GDPR has been tempered by the massive theft of personal data and the illicit use of these (the case of Facebook and Cambridge Analytica), which raise the need to confront such events legally.
The GDPR foresees a rigorous sanctioning regime for the infractions. Depending on the cases, the administrative fines imposed may exceed hundreds of millions of euros. In fact, they could reach 4% of the company’s annual turnover.
Additionally, the GDPR also recognizes the right to compensation to any person who has suffered damages (material or non-material) as a consequence of infringement due to the theft or illegal use of personal data.
The GDPR is a powerful regulation. It is fundamentally applicable but not exclusively, to organizations with EU-based operations, which process personal data of residents in the Union that include some sensitive aspects, namely:
The scope of regulation. It is essential to review the procedures of our organizations because the GDPR will be applied to those activities related to offering goods or services and the monitoring of citizens of the European Union, through controllers or data processors established or not in the EU. This means that many non-EU companies – but with customers or users in this region – will be subject to compliance with the GDPR.
The creation of profiles. Additionally, for those online companies, each individual now has the general right to oppose the creation of profiles. In addition, the GDPR requires to inform people about the right to oppose profiles in a highly visible manner.
The profile that significantly affects the interests of a person can only be carried out in certain circumstances, for example, with the consent of the individual and without being automated, and must include a human evaluation.
Granting consent. The consent must be informed and freely granted, which means that the interested party must have a genuine option of consent or not. For example, checking a box on a website. Neither the granting of consent for an unspecified data processing nor for those persons under 16 years old without the consent of their parent or guardian will be valid.
In addition, the option to withdraw consent must be equally simple to execute.
Right to oblivion. The “right to be erased” or “forgotten” gives people the right to have their personal data deleted when the information is no longer necessary or when the consent is withdrawn. There are some exceptions, including when data are required for scientific research or to comply with a legal obligation of the European Union.
Reasonableness. Controllers must take all reasonable steps to implement compliance policies and procedures that respect people’s choices, which will be reviewed on a regular basis.
It is important to note that controllers will need to implement privacy throughout the life cycle of data processing, from the time of collection to its elimination.
Obviously, we are facing a complex and very relevant regulation for Costa Rica, which is immersed in different areas of technology, business, ethics, and law. We hope to delve into our recommendations in the near future and learn about the experiences of the first days of the GDPR application.
Guzmán & Durán Legal Advisors