By Shon Ga-ram
Recently, there has been a controversy about Facebook users’ personal information being leaked. Although it has not been decided whether Facebook was neglectful, Facebook suffered discredit for failing to act responsibly to protect the personal data of its users.
The data, it has been suggested, was used to sway opinions in the British referendum on leaving the EU and the 2016 U.S. presidential election.
Facebook CEO Mark Zuckerberg was asked to testify before Congress to answer questions regarding suspicious activity. Facebook is now implementing platform changes to prevent other apps from improperly obtaining data again.
However, it may be fortunate for Facebook that the case happened before the European Union’s General Data Protection Regulation (“GDPR”) takes effect. Under the GDPR, a fine of up to 20 million euros or 4 percent of the annual worldwide turnover of the preceding financial year in the case of an enterprise, whichever is greater, can be imposed on a violator of the regulation.
So what is the regulation? The GDPR is a regulation on data protection and privacy for all individuals within the European Union. It was approved in April 2016, and it comes into force on 25 May 2018. It does not require any enabling legislation to be passed by specific governments, whereas the previous Privacy Directive required legislation.
To be able to demonstrate compliance with the GDPR, a data controller must implement measures that meet the principles of data protection. In case of a data breach or leak, the data controller is under a legal obligation to notify the supervisory authority without undue delay, unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals involved. There is a maximum of 72 hours after becoming aware of the data breach to make the report.
The GDPR not only applies to organizations within the EU, but will also apply to organizations outside of the EU if they offer goods or services to, or process or hold the data of subjects living in the European Union, regardless of the company’s location (this includes but is not limited to cloud service providers).
Although a Personal Information Protection Act (PIPA) and relevant guidelines regarding personal information already exist in Korea, all companies who conduct business related to EU residents must be aware of relevant requirements and sanctions spelled out in the GDPR.
The thoughts and opinions expressed in this column are those of its author and do not necessarily reflect those of HMP Law.