Are You Ready for GDPR Day on May 25?

Posted by Reading Time: 3 minutes

Op/Ed by Michael Mudd, Managing Partner, Asia Policy Partners LLC

The EU’s General Data Protection Regulation (GDPR) is quietly working before its implementation.

Airbnb will ‘revise’ their privacy policy on May 25. One of the revisions is that US users will now deem to contract with Airbnb in California, while the rest of the world, including Taiwan, Macao and Hong Kong (but not for some odd reason, mainland China), the data controller is deemed to be in Ireland, but for payments it will be the UK.

Related-Link_CB-icons_2017RELATED: China’s Cybersecurity Law: An Introduction for Foreign Businesspeople

This is markedly different to Facebook, which announced they will move all non-EU users’ data to the US before May 25. This does make a difference as certain types of data, such as browsing history, for instance, are considered personal data under EU law but are not protected as such in the US.

Similarly, LinkedIn announced new terms that take effect on May 8 to move non-European users to contracts with US-based LinkedIn Corp. Similarly, Microsoft Outlook email services announced on April 25 that non-EU resident data will be located in the US. Microsoft added that additional features to support the GDPR for European residents will be available by May 25.

Google appears to be passing the buck back to ‘publishers’ to handle privacy issues for most of its services, except Gmail. New announcements regarding security options for Gmail are expected soon. A quick look at Verizon/Oath (ex-Yahoo!) reveals a privacy policy section that is not searchable by keyword and any reference to the GDPR is not immediately apparent.

Amazon last updated its consumer website’s privacy policy in August 2017. A search under ‘GDPR’ in the help section gets a single reference back to the privacy policy. However, there appears to be no specific reference to GDPR compliance.

AWS, on the other hand, has extensive paperwork on GDPR, as has Microsoft for their Cloud services compliance, which is searchable and comprehensive.

The issues that companies involved in online advertising face are complex. The average page load on an ad-supported website includes 172 network requests just for advertising, according to recent research from Ad Lightning.

That’s 172 opportunities for a publisher’s audience data to be collected, stored and re-monetized by other partners every time a page displays, all of which will be subject to the GDPR if the person accessing the webpage is located in Europe.

Some online marketing companies, such as Verve, which runs a mobile marketing platform powered by location data, and the appropriately named Drawbridge, are shutting down their European operations altogether to focus on their US business.

Professional-Service_CB-icons-2017 Information Technology Solutions from Dezan Shira & Associates

If the above is not enough, lurking in the background is the EU ePrivacy directive (the so-called “cookie law”), which pertains to electronic communications in Europe. This is not yet finalized, but may come into law soon after GDPR, most probably within 2019.

In the wake of well-publicized concerns over the apparent misuse of data, there are a number of legislative proposals working their way through the US Congress to tighten up privacy, including the Honesty in Ads Act, the Consent Act, and the My DATA Act.

One thing is for sure: privacy policies and terms of service for all online services are going to get longer and harder to understand.

This should be made easier; maybe there should be an app for that? It turns out there are, including this one. To update an old Chinese saying, “We live in interesting online times”.

This article was originally posted on LinkedIn on April 25, 2018

Mr Michael Mudd is the founder and Managing Partner of Asia Policy Partners LLC, an independent consultancy providing thought leadership on technology policy for digital transformation, security, privacy, compliance, standards and trade related business. An appointed expert to JTC-1 of the ISO, he is also a member of the Government of Hong Kong’s Expert Group on Cloud Computing, specifically the working group on Cloud security and privacy where he advises on policy. He is a member of the Policy committee of the Hong Kong Computer Society and the chief representative of the Open Computing Alliance in the APAC and MEA regions. He is an associate member of the Middle East & Africa Cloud Alliance. He also has created and delivered executive training on technology risk, privacy and digital security for non-technical office staff to mitigate losses from fraud as well as CxO level guidance on the EU GDPR.

He may be contacted at asiaitpolicy@live.com

About Us

China Briefing is published by Asia Briefing, a subsidiary of Dezan Shira & Associates. We produce material for foreign investors throughout Asia, including ASEAN, India, Indonesia, Russia, the Silk Road, and Vietnam. For editorial matters please contact us here, and for a complimentary subscription to our products, please click here.

Dezan Shira & Associates is a full service practice in China, providing business intelligence, due diligence, legal, tax, accounting, IT, HR, payroll, and advisory services throughout the China and Asian region. For assistance with China business issues or investments into China, please contact us at china@dezshira.com or visit us at www.dezshira.com