EU data regulation affects more than EU customers

Recently Google’s parent company Alphabet was fined €2.42 billion by the EU for antitrust violations. That the EU would fine an American company is nothing new, and has been going for several decades at this point. The EU has also fined Japanese glass manufacturer Asahi, amongst others, as being a part of a glass cartel. American giants Facebook and Microsoft have also been fined. That the EU has such wide-ranging power is simply a fact of a globalised economy. It also makes the forthcoming General Data Protection Regulation, or GDPR, all the more vital, and not only for citizens of the European Union.

EU Regulation 2016/679 was adopted by the EU on 27 April 2016 and will come into force on 25 May 2018. As it is a regulation as opposed to a directive it will require no further legislation to become enforceable, making it a force to reckon with as of next spring. The aim of the law is to provide better data protection for all EU citizens and give them greater recourse when their data protection is violated.

The ramifications of GDPR will stretch beyond the EU. Article 44 of the data protection regulation aims to protect customers from companies or organisations in operating in locations which, from the GDPR point of view, have inadequate data protection laws. However, if the European Commission is of the opinion that a country has sufficient data protection regulations—to date this includes Uruguay, Argentina, and New Zealand, to name just a few, these countries are then whitelisted and effectively have the same rights as companies in the EU/EEA. There is therefore a chance that companies across the world might lobby their home country for legislation that mirrors GDPR in order to be whitelisted.

However, not everyone is looking forward to the GDPR taking effect in 2018. In the past many large companies, such as those on the FTSE 100, have had only limited success in implementing new data security measures. Under the GDPR, companies can be fined for failure to comply with the regulation. Some have suggested this could cost the FTSE 100 some £5 billion per year.

In order to counteract potential shortcomings in security implementation, some companies are seeking customer consent to keep their data. Once the GDPR comes into effect next year, companies will be required to obtain explicit consent from customers on a regular basis in order to store their information. Others, however, are taking a more long-term approach, endeavouring to make the necessary upgrades and other changes to their data protection apparatuses before spring 2018.

These changes will apply not only to EU companies or companies based in the EU, but also any that provide their services to EU customers. Instead of being territorial in nature, as many laws are, GDPR will cover any customer using a specific service. As companies like Asahi and Microsoft have discovered, the EU takes its territorial reach very seriously. The application of GDPR is therefore quite likely to be adopted in one form or another by other countries across the world, in an effort protect online customers. While security experts and data protection specialists are hopeful, they warn that now is not the time to get lazy with online security.