1. The main purpose of adopting a GDPR is to make life difficult for the business.
In fact, the main goal of the GDPR is to enable users to control who and how uses their personal data and to be able to easily and at any time prohibit the use or change the conditions for the use of personal data for marketing purposes.
Personal data is collected by companies in order to improve marketing and make it personalized - aimed at each individual user based on his preferences and interests, which are collected based on the user's behavior on the Internet: visiting sites, left likes, moving the mouse around the page. On the Internet, you can collect such data on the active average user.
, like: gender, age, marital status, profession, interests, consumer habits. If we add geolocation monitoring to this, then the amount of information about each person, which is in the hands of some companies, becomes frightening, especially when thinking about the leakage of this data. It becomes even worse at the thought of the possible manipulation of the behavior and decisions of users - an example of news related to the activities of
Cambridge Analytica .
Some publications provide
an example of a program that, based on an analysis of just 10 likes, makes it possible to get to know a person better than his colleagues know. For 70 likes, the program learns about a person as much as his close friend, 150 likes - like parents, brothers or sisters, and 300 or more likes - better than his spouse knows.
Thinking about this from the point of view of the user, one can see an absolute advantage in adopting a GDPR. Its main purpose is to limit the uncontrolled use of personal data for commercial purposes, when the subject of such data has no idea who, for what purposes, and in what way uses information about him collected on the Internet from various sources.
2. GDPR applies to Russian companies that process personal data of at least one citizen of an EU member state
This is also a fallacy. GDPR regulates the work with personal data not of EU citizens, but of all persons in the EU
" This Regulation applies to the data subjects who are in the Union ... ".
GDPR, Art. 3 (2) .
According to the representative of the European Commission (who was able to informally ask some questions at the international conference in June 2018 [1]), the GDPR does not apply to the processing of personal data of persons who are outside the EU, even if they left temporarily. At the same time, the processing of personal data of Russian citizens who travel in Europe is subject to the GDPR.
Again, with reference to unofficial explanations from the representative of the European Commission, in order to attract the attention of the regulator, it is necessary to process primarily a large amount of data from European users. If the goal of a Russian company is not to collect or process data from Europeans, and the persons whose data it processes occasionally end up in Europe, then the regulator is unlikely to be interested in the activities of such a company from the point of view of adherence to GDPR.
There is an opposite opinion that if services are provided outside the EU (for example, a hotel room in a hotel in Russia can be booked remotely from the EU territory), the organization should not fall under the GDPR, since its activities are not carried out in the EU territory and not subject to EU law. This opinion does not fully comply with the provisions of the GDPR: if such a company will use the data of persons mainly residing in Europe, then the GDPR will apply to it. If we take the example of a hotel, then at the time of staying at the hotel a European is really not in Europe. But if, after his return, the hotel continues to process its data and, for example, send him marketing materials, it turns out that it works with the data of a person living in Europe. Well, if the data is not used for marketing purposes, but is collected only for booking and registration of residence, then there is no problem: the GDPR allows collecting and processing data for the execution of the contract, and the consent of the subject of personal data is not necessary in this case.
3. User consent to use their data is always necessary.
Not certainly in that way. In the case of a non-European company, GDPR applies only when using personal data for marketing purposes (offering goods or services) and monitoring user behavior in Europe. If data is not used for these purposes, then the provisions of the GDPR will not apply.
It’s not a rule, but it’s not clear that it’s not .
(a) Subject to the data subject in the Union; or
(b) it shall take it as far as their behavior.
GDPR, Art. 3 (2) .
When data is obtained for the purpose of contract performance, consent is not required. There are also other cases where the use of personal data
does not require consent . But if after the execution of the contract, the data remains with the company and is stored by it (for example, in CRM), in this case, the user's consent is required.
4. For violation of the GDPR will be immediately fined, the fines will be very high
Nobody will immediately be fined. Regulators in different countries are just starting to work with the new rules and will be wary of the practice formation, with an eye to each other. They are unlikely to be in a hurry to immediately apply fines; rather, there will be warnings and prescriptions first. The size of fines specified in the GDPR is the upper limit, in case of violation fines may not always be applied and may be small. Penalties will most likely be calculated on the basis that they should be proportionate and effective, and the main goal is not to strangle the business, but to send it to the right path.
In addition, judicial practice (including the Luxembourg Court) will be formed in parallel, the appearance of which will also be expected by regulators before starting mass inspections and sanctions.
During the informal communication with the representative of the European Commission at the conference, it was thought that several demonstration processes might be held over some giants, in order to make it clearer in practice what behavior is unacceptable and what it might lead to.
In the matter of applying penalties for violation of the GDPR, the following positions appear to be the most correct:
“In general, it is necessary to perceive large sums of fines in the law as a barrage measure, and not a new way of replenishing the local budgets of the EU countries”
“The specific amount of fines will be determined individually, taking into account a large number of factors. A multi-million fine may be imposed on an organization if it knowingly and maliciously violated the rights of the subjects, carefully concealing it and receiving high-profit PD from such processing. ”
As for the concerns of Russian companies that they may be fined for not complying with the GDPR, such concerns are most likely not being realized. It will not be easy for the regulator to hold companies accountable for having no representation in Europe. It will be even more difficult to execute the imposed sanctions on the territory of a non-EU state. Therefore, the main regulation, which is predicted in connection with the GDPR, will be through self-regulation in the industry: European business will gradually refuse to work with companies that do not comply with the requirements of GDPR. Accordingly, the main negative consequence of non-compliance with the GDPR is not fines, but a loss of competitiveness in the European market.
5. Personal data cannot be transferred to other countries without proper supervision and permission.
Data can be transferred if there is a contract with the company that transfers the data, and if such a contract provides for certain guarantees. In addition, there is
the Council of Europe Convention 108 (in which Russia participates), it states the following:
“A Party shall not prohibit or condition a special permit for cross-border flows of personal data going to the territory of the other Party for the sole purpose of protecting privacy”
There is no exact answer about how the provisions of the Convention 108 and the restrictions of the GDPR on data transmission do not exist yet, perhaps there is a contradiction between them. But in any case, data can be transferred if there is a contract, as well as in some other cases specified in the GDPR.
[1] Pearse O'Donohue, Acting Director for DG CONNECT at the European Commission.