The road towards implementation of the new European GDPR (the General Data Protection Regulation) has been a long one, even though public awareness of its impact, especially outside of Europe, is only now really starting to take hold. This game-changing piece of EU legislation will require companies to fundamentally change how they process and use personal data (broadly defined) they receive from EU citizens, including through consent and data handling agreements with their customers, supply chains, and vendors. It will come into effect on 25th May, 2018, and will have tremendous reach, touching on all business sectors. More than that, the GDPR has extra-territorial scope and will apply to any business that processes the personal data of European users, irrespective of whether that business has any physical presence in the European Union.
The aim of the GDPR, which will replace the currently applicable European Data Protection Directive of 1995, is to both meet the challenges of globalization and address dynamic new products and services, while also trying to create a future-proof framework that will comfortably accommodate emerging technologies and scenarios, including the Internet of Things. It is also a response to Europeans’ growing concerns over the control and use of their personal data in the new data powered environment. By way of illustration (below), in March 2015 a Eurobarometer study asked 28,000 EU citizens what they thought about the protection of their personal data, and 67% of respondents stated that they did not believe they had complete control over the information they provide online.
Almost three quarters of the respondents did acknowledge and accept that providing personal data is an increasing part of modern life, but only one third indicated that providing such data was not a big issue. Clearly, something had to be done to help build user trust.
Strengthening the EU Digital Single Market
The GDPR process began back in 2009 with a consultation launched by the European Commission, along with stakeholder meetings held throughout 2010 and 2011. Speeches given by the then EU Justice Commissioner, Viviane Reding, were combed over for clues as to the Commission’s plans, and finally in January 2012, all was revealed when the first draft of the GDPR was published. That triggered a four-year process in Brussels, involving the European Parliament and the European Council (EU Member States), ongoing Commission input and intense lobbying efforts by business and civil society representatives which resulted in many thousands of amendments (4,000 submitted in the lead European Parliament Committee, LIBE, alone). The text was finally agreed in December 2015 and the Regulation was formally adopted in April 2016, kicking-off the two-year implementation clock at a national level and for businesses preparing to comply.
An issue that had to be tackled was the fragmentation of data protection laws across Europe under the current Data Protection Directive, as each Member State had applied its own set of rules to broadly implement the EU legislation. This has been confusing not only for end users but also for those businesses trying to operate across the European Union and tailor their offerings accordingly. As such, while national derogations on some issues remain possible under the GDPR, there will now be a more solid and predictable framework in place, since the new law is a Regulation rather than a Directive and so is directly-applicable in each Member State.
The GDPR sets out a coherent risk-based approach to privacy protection and also codifies certain important principles, such as control and transparency (for users), accountability (for data processors and controllers), and privacy by design and default. Consent of users for the use of their data must be “freely given, specific, informed and unambiguous” and data portability has been enabled, allowing users to move between providers with ease. Sensitive data, such as health and genetic data, have a higher level of protection and the right to erasure, more commonly known as the “right to be forgotten” has been clarified.
This last provision is a headline GDPR item that has perhaps attracted the most media attention but is often misunderstood. The concept of a right to erasure already exists and can be applied through extensive interpretations of the current Data Protection Directive. However, this right will now be formally fortified by the GDPR. Importantly, this is not a carte blanche for content removal, and freedom of expression and historical and scientific research considerations remain safeguarded. That said, there will always be challenging cases and technical implementation for search engines in particular is tricky. More troubling are recent attempts to apply the right and treatment across multiple territories, an issue that is now the subject of legal challenges in the European Court of Justice and the Canadian courts, as led by Google, who has been asked to delist certain search results globally.
Cloudflare’s plan of action
Security and privacy go to the very core of Cloudflare’s value proposition and we already use “state of the art” (to use GDPR phraseology) technology and encryption as security features to ensure the confidentiality, integrity, availability and resilience of our processing systems and services. As such, we’ve been working hard to get ahead of the game and to be in full compliance before the May 2018 deadline. This in turn will help our customers and partners to prepare for GDPR compliance on their side, without operational overhead.
GDPR provides an opportunity for Cloudflare to strengthen its privacy offerings by introducing added control mechanisms for our users, and new features to help businesses, partners and vendors with their own GDPR compliance journey. We are working internally to see how best we can evolve our service with new functionalities, and are updating any agreements that need to be updated to reflect the GDPR framework. This is a full team effort at Cloudflare, as privacy will be further embedded into all of our engineering and product development processes, in addition to detailed data audits and privacy impact assessments.
While GDPR roll-out is a resource intensive programme for any company that wishes to do it right, there are many upsides to introducing such rigour across the business and ultimately our users and partners will be the beneficiaries. Ensuring absolute trust in our services and empowering our users is something that has always been inherently important to Cloudflare, and the GDPR is an important step forwards further clarifying, enabling and advancing individual privacy rights.