EU Data Privacy Laws Creating Local Waves
Reactions to the implementation of the EU’s General Data Protection Regulation (GDPR) have been mixed in Thailand, with executives claiming their companies are prepared to handle the additional burden, but third-party observers have expressed scepticism about local firms’ ability to adapt to the regulation and its legality in the country.
WHAT IS GDPR?
The GDPR empowers European citizens as data producers and data owners, but may represent a substantial burden for firms in developing countries. The law is expected to make waves not only in IT departments, but also in the way products are marketed and sold.
Under the terms of the regulation, personal data includes: name, photos, email addresses, bank details, updates on social networking websites, location details, medical information, computer IP addresses, and other personal information. Processing is defined broadly and refers to anything related to personal data, including how a company handles and manages data, such as collecting, storing, using and destroying data.
The GDPR establishes a higher standard of consent for using some types of data, and increases the rights individuals have to access and transfer their data.
Failure to comply with the GDPR will result in significant fines, which represent up to 4% of a company’s global annual revenue.
The law makes no distinctions between personal data about individuals in their private, public or work roles. The regulation will extend to business-to-business (B2B) settings, when personal data is involved.
However, there is no distinction between personal data about individuals in their private, public or work roles — the person is the person. Also in a business-to-business (B2B) setting, everything is about individuals interacting and sharing information with and about each other. Customers in a B2B market obviously share companies, but the relationships that handle the business topics are people — or individuals.
In short, the GDPR applies to all businesses and regulations established in the EU, regardless of whether the data processing takes place in the EU or not. If a business offers goods and/or services to citizens in the EU, then it is subject to GDPR.
TECH FIRMS: PRIVACY IN PROGRESS
According to Facebook’s statement, the company is in compliance with current EU data protection law and will comply with the GDPR. The company’s GDPR preparations are well underway, led by its Dublinbased data protection team and supported by the largest cross-functional team in Facebook’s history.
The company launched a new control centre to make privacy settings easier to understand and update.
“We’ll also remind people how to view and edit their settings as they use Facebook,” the company said in a press release.
Businesses that advertise with Facebook companies can continue using Facebook platforms and solutions in the same way they do today.
Each company is responsible for complying with the GDPR, just as they are responsible for
complying with the laws that apply to them today.
William Malcolm, legal director for privacy at Google, recently expressed Google’s commitment to comply with GDPR in a blog.
“We’ve been working on our compliance efforts for over 18 months, ahead of the new law coming into effect,” he said.
“As part of our GDPR compliance efforts, we’ve improved both the controls and the clarity of information in ‘My Account’ so that people are better informed about how and why their data is collected. Within My Account, users can use Activity Controls to choose what activity is saved to your Google Account,” said Mr Malcolm.
Google will provide on/off switches to control Location History, Web and App Activity, YouTube Search History across devices signed in to user accounts.
Users can view or delete data — including search history, location history, browsing history using My Activity.
The GDPR places new obligations on Google, but also on any business providing services to people in the EU. That includes Google’s partners around the globe: advertisers, publishers, developers and cloud customers.
“We’ve been working with them to prepare for May 25, consulting with regulators, civil society groups, academics, industry groups and others,” he added.
Under the new rules, companies must get consent from parents to process their children’s data in certain circumstances.
To obtain that consent and to make sure that parents and children have the tools to manage their online experiences, the company is rolling out Family Link — already available in various countries around the world — throughout the EU.
“For advertising partners, we already ask publishers to get consent from their users for the use of our ad tech on their sites and apps under existing legislation, but we’ve now updated that requirement in line with GDPR guidance,” said Mr Malcolm.
Google is working closely with publisher partners to provide a range of tools to help them gather user consent, and built a solution for publishers that want to show non-personalised ads, using only contextual information, he said.
GDPR NOT ENFORCED HERE
Deputy Prime Minister Wissanu Krea-ngam said the Digital Economy and Society Ministry is assessing the issue to limit the adverse effects of GDPR.
The government’s Personal Data Protection Act is also aimed at mitigating the effects of GDPR, said Mr Wissanu.
“If there is any impact on Thais, it would come from Thai law, not from EU law,” he said.
The EU imposes fines of up to €20 million (752 million baht) for personal data leakage of EU citizens. The Thai law does not impose such severe fines. Instead it requires presumed offenders to undergo legal proceedings in Thai courts, under Thai law, said Mr Wissanu.
Asked whether Thailand could be blacklisted or suffer trade restrictions with the EU if EU citizen data is leaked in the country, he said GDPR cannot be applied in Thailand’s jurisdiction, and such blacklisting cannot occur because Thailand has already prepared measures for personal data protection.
Reference: Bangkok Post