Back in 90´s we remember when the definition of the Internet was a branch of networks connected and It´s was true, not many, but some private networks, especially universities and military networks interconnected to provide a new way for communication. It´s was good, but changed very quickly to a new definition of Internet itself, migrating from a connection of networks to a connection of computers, and it was also great for the culture, political, social, commercial and government perspective.
New technologies, new protocols, new computers and devices connected and another revolution on a way of communication rose. As we know the technology and evolution in a way of communication never ends, people starts to be connected more and more, thanks the web 2.0 and 3.0, html5, social networks and lots of new ways and technologies that connects people, business around the world, changing again the definition of Internet, that now I understand is a network that connects people and not anymore just networks or computers and devices, but people, real people, with real personalities and desires exploring all potential of an interconnected and globalized world.
Welcome to the future of the market and the way people commercialize their products and services, called e-commerce.
This new reality was excellent, providing new possibilities to everyone that have something to sell or to buy, without have to care about territoriality and boundaries, but also it brought new challenges for the legal perspective as this new way to commercialize directly impact over the people personal data that nowadays goes back and forward around the world.
Having this new reality in mind, what concerns about personal data? What happens if this personal data fall into the wrong place? What rights about to protect personal data?
To help to answer all these questions GDPR (General Data Protection Regulation) was approved in 14 April 2016 and published by the European Official Journal on 04 May 2016. Having two years of vacancy this Directive will must have to be already transported to internal national law of all EU stats members by the end 25 May 2018.
Companies, costumers and citizens lost control over personal data and with this new GDPR regulation the main idea is to give back the control of the personal data and to simplify the regulatory environment for business as described in the first chapter, first article of GDPR.
Subject-matter and objectives:
- This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
- This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
- The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
Despite this new regulation and directive being European it´s have to end up impacting the whole world as seen in article 3 .
- This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
- This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union.
- This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Nowadays almost everything is related with e-commerce, open a bank account, book a flight and hostel, goes to university, do online shopping, business to business (B2B), services on mobile apps (M-Commerce), on Facebook (F-Commerce), on TV (T-Commerce) and so on and all of this examples ends to hand over people, consumers, partners and EU citizens personal data containing personal information like names, birthday, address and very often credit card numbers.
Going further into the e-commerce business, every company that provides goods and services across the internet must be ready to answer some questions.
– Complete visibility, Providing full visibility across the e-commerce operation is an important aspect under GDPR. If we are not able to detect the problems how to fix them.
– Timely detection and investigation, Quickly and fast response by e-commerce operators is an important aspect under GDPR. If we are not able to detect how is possible to give a quickly response to be compliance with GDPR.
– Incident feedback, Improving the security system of e-commerce is only the first step to meet GDPR requirements. Article 5 – Principles relating to processing of personal data, 1 letter f.
Understanding the legal responsibilities in e-commerce when collecting or managing consumer identities may not only be difficult according to the new GDPR but a huge challenge as it has penalties related with GDPR that could be harder for the major business around the globe to survive as for the GDPR. The fact that your e-commerce is located inside European Union is not relevant anymore and what really matter now is if an e-commerce collects, maintain, process or do business with companies or a single person inside Europe Union then they must be compliance with the new regulation as described above.
Another point of focus is that the new GDPR does not only affect consumers and end-users personal data, but also it applies to companies playing in a business-to-business strategy.
Similarities with mobile apps that is already discussed by some specialized law firms, to make sure e-commerce it´s running under the legal perspective, not only the above mentioned questions but some other points must have been overlooked according with the new regulation.
– Identify your customer base locations and understand the privacy requirements associated with each;
– Find out where customer data is stored and processed, also how it’s interconnected inside the network web;
– Have a centralized and single platform for customer identity data.
According to the GDPR Guidance all companies and this include e-commerce business, must respect and follow seven major changes on how they handle, collect and store data:
- Ends single consent: Asking for consent should be separate from other terms and conditions, so individuals are clear what they consenting to and should not be a pre-condition.
- Deactivate opt-in: The GDPR makes it clear that pre-checked boxes are not a valid way of consent.
- Giving Control: Various types of data processing that may occur, allow for separate consent as much as possible giving consumers more control over what they’re consenting to.
- Transparency: Always tell about the purpose of collecting data and name any third parties that the data will be shared with.
- Keep Records: Maintain as much as possible records of the consents, for example, what was consented; what the method used for consent.
- Easy to withdraw: Individuals should be easily able to withdraw their consent. Organizations must place simple, fast methods for withdrawing consent and let clear about the right to withdraw consent. Article 7 number 3.
- Freely given: Consent should be freely given by individuals as described in article 4 number 11.
For the conclusions and consequences, according with article 83 number 5, if any e-commerce business fail to comply with the legislation then will be fined 4% of turnover or 20M Euro
In case of data breaches, companies must report it within 72 hours and have the ability to demonstrate their security and data privacy procedures at a moment’s notice as seen in article 33.
Remember that all citizens will have legal rights to bring about individual lawsuits and make compensations claims in situations of data breach.
So with those two scenarios showed, it seems this isn’t something any e-commerce company should ignore.
Last but not least, the new GDPR does not come to make business for e-commerce harder, but in opposite of this, it comes to guarantee more security and respect to EU citizens and companies about their data and how they handle their personal information, serving as a guide to how companies like e-commerce will collect, manage and quickly respond to eventual incidents about their consumers, partners and supplier’s personal data.
Carlos Alberto Ribeiro
Paralegal and European Consultant of COTS Attorney-at-Law
Carlos Alberto Ribeiro, Paralegal and European Consultant of COTS Attorney-at-Law specialized in Cyber Law, Information Technology, e-commerce, digital contracts and cyber security.
Specialized in cyberlaw by FGV also a Linux and open standards professional since 1998 working for national and international companies like Cisco Brazil; H&R BLOCK-USA, Novell; Komputer Linux.
Author of several articles and papers about digital law, e-commerce, cyberlaw, and cyber security.
Member of Cyber Law and Information Security, European Cyber Resilience Research Network ECRRN, IT4Legal and ICANN, Carlos Alberto holds various qualifications and courses courses in IT and Law areas like ContractX (Harvard), Digital Law (Porto University), MCSE (Microsoft Certified System Engineer), Novell Certified Linux Administrator, Novell Certified Linux Professional, Cisco CCNA, Novell OES Bootcamp, Novell Identity Manager, IBM Data Center Technical Specialist, IBM -systemZ and Cisco ACS.
Speaker at national and international events: LinuxWorld, FISL, IBM CIO Meeting, SUSE Hackfest (Nuremberg, Germany), FOSDEM (Brussels, Belgium), openSUSE Conference (Thessaloniki, Greece), Scale (Los Angeles, USA), openSUSE Hack Week (Los Angeles, USA).
Managing Partner of COTS Advogados
Marcio Cots, Brazilian lawyer and professor, Foreign Legal Consultant (outside the USA) of CyberlawStudio PLLC, an American law firm based in New York City and Managing Partner of COTS Advogados, a Brazilian law firm based in Sao Paulo. Both law firms specializing in the digital economy (boutique law firm) – focused on startups, e-commerce and IT companies.
Marcio holds various qualifications and has attended executive programs across Brazil and the United States including the Leadership in Corporate Counsel Program, at Harvard Business School – Harvard University and Cyberlaw Program, at Harvard Law School – Harvard University. Marcio is specialized in cyberlaw and is currently focused on providing legal expert advice for e-business and technology companies internationally. He is an expert in matters related to law and new technologies, and is consulted by many companies on issues such as privacy, information security, startups, e-commerce and international digital projects.