The European Union has reached a new level of data protection for its people. Now individuals will control their personal information to learn how and why companies use them and decide when to suspend the permission for the use of their data.
It has already been a week since the General Data Protection Regulation. It introduces a list of rules which is based on placing a priority on the privacy users’ personal data.
Personal data is data that can either directly or indirectly identify a person. These are names, birthdays, addresses, photos emails, bank details, IP addresses, cookies, geographical position, genetic and biometric data.
In the modern world, personal data is used in all spheres, from social media to banks, shops and government agencies. Almost all the services that we use collect our data, process and store them.
Often we are made aware about this, however more often we don’t know how companies use the information that we provide them.
Companies are now required to present the purpose of collecting, processing and subsequent using of data in a concise, clear and detailed way, get special consent from the user and delete them when the user decides to suspend the permission of usage.
This regulation is especially important in the context of Facebook’s latest scandal, when it became clear that 87 million users personal data had been accessed and used for targeted political ads.
Cambridge Analytics, which worked with US President, Donald Trump’s campaign team, has acquired millions of US citizens’ Facebook profiles and used their data to create a program which would determine the preferences of the votes and would influence them.
Facebook learned about this at the end of 2015, but did not inform its users in any way. Only in March of this year were the details regarding this massive data misuse revealed.
Under the general data protection regulation, companies should not only ensure that users and customers’ personal data are encoded within the law, but they are also required to protect those from incorrect and inappropriate use and abuse.
In case of data leakage or theft, companies are required to inform users/customers and the relevant authorities within 72 hours after the problem has been reported. Moreover, they should not only be made aware of the incident, but also the possible negative consequences resulting from it.
Companies should provide information on what type and amount of information has been leaked/stolen, what the consequences may be: money theft, identity theft. They should also present the measures which they are taking to address the problem.
This law applies to any company operating in the European Union or outside of the European Union which provides services or products to customers or businesses that are within the European Union. In addition, regardless of whether the customer in the EU is an EU citizen, resident or temporarily there.
This means that even Armenian companies, which carry out similar activities in the EU, are required to comply with the requirements of this regulation. The Agency for the Protection of Personal Data has created a chart, which presents which Armenian companies and in particular which cases the EU regulations would apply.
Companies that do not comply with the requirements of the new regulations will be subject to excessively high fines of up to 20 million euros, or 4% of annual global turnover, depending on which number is greater.
Due to non-compliance with the general data protection regulations, a number of media outlets and other sites are not available for users visiting from the EU.
This is the price that most sites pay for avoiding possible fines.
The views expressed in the column are those of the author's and do not necessarily reflect the views of Media.am.