Draft Guidelines Clarify GDPR Scope

EU Draft Guidelines Clarify GDPR Scope

As GDPR continues to take root, having an impact in Europe and beyond the confines of the continent, news came late last month that the European Data Protection Board has published draft guidelines that touch on the data protection regulation’s territorial scope.

As reported through sites such as Lexology.com, the guidelines help clarify, for non-EU based companies, whether GDPR covers their own operations. The site notes that per the draft guidelines, “not all companies that process personal data relating to individuals in the EU are necessarily subject to GDPR.” By way of example, if a company controller that is based in the EU designates a processor located outside the EU to perform services for that firm, the processor in turn need not be subject to the GDPR.

Firms that are located outside the geographic confines of the EU that process data related to individuals within the EU may be covered by GDPR if they have an establishment in the EU, and, per the draft guidelines, have activities in place that can be viewed as being “inextricably linked” to the EU-based entity. “The application of the GDPR to processing activities must be assessed per controller/processor,” noted Lexology.

In terms of individual company news, this past week saw the disclosure that Uber has been hit with fines from regulators based in the United Kingdom, as well as Dutch regulators. The fines stem from data breaches against the company that came in 2016.

Within the U.K., the fine was levied by the Information Commissioner’s Office (ICO) against Uber for nearly $491,000, while the Dutch Data Protection Authority fined the company nearly $679,000. The data breach exposed information about 57 million users, spanning names, mobile phone numbers and email addresses. As many as 2.7 million users had accounts in the United Kingdom. In addition, data on 82,000 drivers based in the U.K. was pilfered in the breach.

“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen,” ICO Director of Investigations Steve Eckersley said in a statement that accompanied the announcement of the fines. “At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”

Blockchain and Caution on Regulations

Separately, but still in the U.K., CCN reported that “regulatory uncertainty” in the country’s blockchain sector stands among the biggest concerns for companies working with distributed ledger technology. The data from digital firm Digital Catapult shows that 74 percent of blockchain firms in the U.K. cite the concern, tied in part to GDPR, as data storage remains an issue yet to be fully codified.

“This legislation raised concerns for companies using permissionless, public blockchains, which are open to anyone regardless of location, and where full copies of the database are replicated across all of the nodes participating in the network, making it impossible to selectively limit where the data goes,” Digital Catapult said in the report, titled “Blockchain in Action: State of the UK Market” as cited in CCN. Also among the cited regulatory concerns was fundraising activity tied to initial coin offerings (ICOs), as formal guidance has yet to be issued from the Financial Conduct Authority (FCA).

“This uncertainty was raised many times by the companies consulted, as they were unsure whether they should conduct an ICO in the U.K. or allow U.K. citizens to participate given the current regulatory landscape,” said the report.