EU GDPR law Highlights: From Facebook to Google, why privacy policies are changinghttps://indianexpress.com/article/technology/tech-news-technology/eu-gdpr-law-live-updates-facebook-to-google-everyones-upgrading-privacy-policies-5190284/

EU GDPR law Highlights: From Facebook to Google, why privacy policies are changing

European Union's General Data Protection Regulation (GDPR) goes in to effect today. Here are live updates on what these changes will mean for users.

GDPR, General Data Protection Regime, GDPR compliance, what is GDPR, GDPR India, GDPR stands for, EU GDPR, GDPR Policy, GDPR meaning, GDPF full form, GDPR privacy policy, Google GDPR, GDPR full form
EU GDPR law LIVE UPDATES: Facebook to Google, here is why everyone is update their privacy policies.

European Union’s General Data Protection Regulation (GDPR) goes in to effect today, and that’s the reason why most email inboxes across the world are flooded with emails about updates to privacy policies for companies. GDPR will lay down a new set of rules regarding processing of personal data and with regards to free movement of this data. Essentially, ‘data protection’ is seen as a fundamental right under the new GDPR rules, and according to the Act, this is in “balance with other fundamental rights.” The new set of rules also aim to ensure a “high level of data protection.”

GDPR will give EU citizens more control over their data, but it has implications beyond the European Union. GDPR is also the reason why nearly all players from Google to Facebook are updating their privacy policies and alerting you about the same. Here’s a look at all the key developments with regard to GDPR, which comes into effect from today, which is May 25.

Also Read: GDPR: EU’s new data privacy regulation, and how it will affect rest of the world

Live Blog

General Data Protection Regulation (GDPR) LIVE UPDATES: Facebook, Google privacy policy updates

GDPR: Facebook introduces privacy reviews for Indian users

Facebook has updated its data policy as European Union's General Data Protection Regulation (GDPR) rules go in to effect from May 25. As part of changes, the social media platform will send an alert on users' News Feed encouraging them to review details about advertising, facial recognition software, and information they have shared over their profiles and Timelines. Facebook's privacy review will be made available in 11 local languages in India.

ALSO READ: Facebook’s privacy review will be available in 11 Indian languages: Here’s what you will know

GDPR: What experts have to say

"Companies need to realize a breach is inevitable and key stakeholders, their customers, expect them to take reasonable measures to prevent breaches in the first place, and when that fails, to respond quickly and appropriately. GDPR mandates this practice for companies that operate in EU or company doing business with EU citizens. Questions remain, however, around implementation, interpretation and administration of the data protection practices – and these will need to be ironed out as the GDPR becomes enforceable. In order to be compliant, a business must begin introducing the correct security protocols in their journey to reaching GDPR compliance, including encryption, two-factor authentication and key management strategies to avoid severe legal, financial and reputational consequences," Rana Gupta, Vice President – APAC Sales, Identity and Data Protection, Gemalto said in a press statement.

GDPR and penalties: Will companies be fined for violation of rules?

Yes, this is one of the most important part of the GDPR framework. According to the rules, countries can fine companies over non-compliance or violations of GDPR. 'The fines must be effective, reasonable and dissuasive for each individual case,' according to the rules.  However, EU's GDPR also notes that the lack of cooperation with authorities will result in higher penalties. For really severe violations, countries can fine a company up to 20 million Euros or up to 4 per cent of a company's global turnover from the last fiscal year, whichever is higher.  Thus in theory,  companies like Google or Facebook could face a fine of billions of euros, if an EU country finds them guilty of seriously violating GDPR framework.  

GDPR and the right to be forgotten

EU's GDPR also comes with the right to be forgotten. In this, a user can demand that the company delete all the personal data they have collected regarding them,'without undue delay,' according o the Act. It also says that when the personal datas is no longer necessary for the purpose for which it was collected or if the user withdraws consent, or where personal data has been 'unlawfully processed,' they will have to remove the user data. 

GDPR and the right to Data Portability

One of the key features of GDPR is the 'Right to data portability.' What this says is that the 'data subject' or the user will have right to receive all their personal data concerning them which they have provided to a company. The data should be received in a 'structured, commonly used and machine-readable format.' The user will also have the right to have their 'personal data transmitted directly from one controller to another, where technically feasible,' according to the GDPR rules.  

GDPR and what it does for 'user consent'

One of the more interesting aspects of GDPR's is how it deals with the idea of a user consent. For one, the companies need to take explicit consent from the user for processing their data, and they need to provide sufficient information to the the user with regard to this collection. The user will need to understand what they are consenting to, under GDPR's new rules and laws. 

Instagram's updated privacy policy

Like Facebook, WhatsApp, and others, Instagram has also updated its privacy policy. This was rolled out in April 2018, and the new data policy explains in details how the user data is collected and used in Facebook Products.  The policy also covers the newer features such as stories, direct messaging, activity status and the creative tools in the camera app. It explains how the data is used to show ads, and also what sort of data sharing takes place with Facebook. Read more details here.

GDPR and Twitter: What changed with privacy policy

Twitter is another popular social media network, which had updated its privacy policy in regard of EU's GDPR change.  The privacy policy highlights that Twitter is collecting some personal information like the type of device one is using, such as smartphone or the IP address. It adds that this is done to show more relevant tweets, better ads, etc. “In addition to information you share with us, we use your Tweets, content you’ve read, Liked, or Retweeted, and other information to determine what topics you’re interested in, your age, the languages you speak, and other signals to show you more relevant content,” says the Twitter Privacy policy. 

GDPR and privacy policy: Needs to be in plain language

One major change with GDPR is that it puts the stress on explaining privacy policy in plain and simple language. With most technology companies, the privacy policy is a long, complicated document that most readers do not end up reading, since it is full legalese. With EU's new GDPR rules, all of this changes.  

GDPR and WhatsApp's Request Account Info feature

WhatsApp has rolled out a Request Account Info feature in compliance with GDPR.  This will let users download all the data that WhatsApp has collected in the past about them. Users can got Settings, Account, followed by Request Account Info and ask for report of their WhatsApp account information.  The report is generated in three days and users will be able to download it and export it to another app. However, the report does not include your WhatsApp messages. 

Will GDPR be limited to just European Union?

Here's where things get interesting and the implications of GDPR become clearer.  GDPR applies to all companies which are collecting data of EU citizens, and not just those based in the EU. It also means that for internet companies they will have to upgrade their policies worldwide, as is clear in the case of Google, Instagram, and even WhatsApp. For instance, WhatsApp is now providing users a tool to check what all data of theirs is collected by the app. 

GDPR and Google: What is changing with the data privacy policy

For those who are not aware, Google has already sent out mails highlighting key changes to its privacy policy in light of GDPR coming into effect.  Google says it will make it easier for users "to understand what information" they collect and why it is collected. Google says it has improved the way it describes data policies, pratices and explanations on how users can update, manage, export, and delete their data. Google is extending these privacy policy improvements to users across the world and not just limiting it to EU. 

"We’ve improved the navigation and organization of the policy to make it easier to find what you’re looking for. We’ve also explained our practices in more detail and with clearer language," says Google. It will also offer a visual description is easier to understand some details about the policy along with videos to make some points clearer. 

GDPR: What it says about data breaches

When it comes to data breaches, GDPR says that companies will need to inform regulators within 72 hours. If one takes the recent Cambridge Analytica and Facebook scandal, the social media giant is still scrambling to figure out how big the impact of this data leak was and Facebook has itself said that a full investigation into other apps could take years. But with GDPR, this deadline of informing users and regulators is now 72 hours. Failure to do this could come with steep fines. 

EU GDPR: What needs to be told to the data subject

According to Article 13,  GDPR says that the subject or the user needs to be made aware of the "identity and the contact details of the controller and, where applicable, of the controller’s representative," when their personal data is being collected. Companies are also asked to tell users about the contact details of the data protection officer, where it is applicable.  More importantly, companies will have to tell the users, "the purposes of the processing for which the personal data are intended as well as the legal basis for the processing." If the data will transfered to a third country, then too companies need to alert the user.  

EU GDPR: Data protection by design

One of the key principles of GDPR is that it calls for 'data protection by design.'  According to Article 25, the controller needs to "implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation." It also notes that the controller needs to ensure that only personal data is collected which is needed. They will also need to make sure that an individual's personal data is not made accessible to other persons without the user's intervention or explicit permission. 

GDPR: What does it say regarding data storage and processing?

Article 5 of the General Data Protection Regulation lays out the principles of how data is to be processed and says this should be done 'lawfully, fairly and in a transparent manner in relation to the data subject.' The data can only be used for the specific purpose for which it is collected, and the section notes, 'not further processed in a manner that is incompatible with those purpose.' It also adds that the companies, entites collecting data need to take steps to ensure this data is 'accurate and, where necessary, kept up to date.' On the subject of storing personal data, it says this can be stored for longer purposes only for 'archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.' The Section also notes that entites need to ensure 'appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.' So yes, internet corporations, especially a Facebook or Google, which are collecting large amount of personal data need to ensure that it is not misused or stolen or damaged.

GDPR aims to put more control in the hands of the user when it comes to their private data and how it is processed and used by internet corporations. But it will go beyond just social media companies like say Facebook or WhatsApp. This also includes data collected by banks, retailers and how it is stored and used. GDPR ensures that companies which collect private user data ensure that it is not exploited or misused.