Although regulation for GDPR was passed two years ago, it has really only been the last few weeks that the public realised something was going on – primarily through a slew of text messages and emails asking for consent.
GDPR, which stands for General Data Protection Regulation, is a new EU regulation which sets out to give citizens more rights over understanding and deciding how their data is used.
Inboxes and phones across Europe have been bombarded with all types of creative emails and texts asking them to consent to staying in touch. Cyprus too joined the hype but its implementation so far has been far from perfect.
In all fairness, personal data protection officers from various 28 member states have conceded that after May 25, which was when the regulation came into effect, the purpose was not to impose harsh fines – though the regulation very much allows for it – but to help firms better abide by the changes.
The first instance where a lot of Cypriot companies got it wrong, according to personal data protection commissioner Irini Loizidou Nicolaidou, was the way they asked for consent.
The regulation stipulates explicit consent must be given by consumers and must be specific, informed, freely given and unambiguous.
Companies which got data under those conditions did not need to concern themselves with asking for consent again, however many firms were unsure and thus chose to play it safe.
Ironically, if the data was gained improperly the first time around – say by a company selling data – then even asking those people for their permission was also in breach of the regulation.
But nonetheless, two kinds of requests of consent have been circulating. And one of them was wrong.
One asked people to reply to the company’s message if they wanted to continue receiving emails and messages. “Let’s stay in touch!” and “keep receiving our offers!” were some of the taglines.
If you sent no reply the company was required to delete your data.
The second kind of request was the reverse by which companies are trying to toe the line of the regulation and keep their customers’ data by a flimsy form of consent. These sent messages that if you did NOT reply, the company would take that as consent for them staying in touch with you.
Nicolaidou told the Sunday Mail that the second version was wrong and subject to a fine – which can amount, depending on the offence and the case, up to a maximum of four per cent of a company’s annual revenue or €20m.
As the regulation is EU wide, if people in Cyprus believe their data was breached from a company in another member state then the data commissioner on the island could act on their behalf in processing the complaint.
Fines however are not only imposed in cases of consent as the GDPR regulation has a much wider scope.
It concerns both the private and government sectors of a country, encompassing everything from charities, political parties, retailers, banks, hospitals, schools, prisons and so forth.
Public authorities and firms whose core activities require large scale, regular and systematic monitoring of individuals and/or large scale processing of special categories of data are required to have a data protection officer.
Firms must be able to comply with consumer requests to remove, correct or provide them with all the data they have on them.
The aim is to not only to give people more access to their data and right to privacy but also has a practical application.
For instance, if someone wants to change insurance companies, they are now allowed to go to their current insurer and request all the data it has on them. Then they can simply submit it to their new company instead of going through the process of finding a host of documentation that was submitted over a period of time.
Oversight of the matter is one of the roles a data protection officer has and according to Nicolaidou, there are plenty of professionals in Cyprus qualified to carry out the job.
A sticking point – as always – comes with the public sector. The commissioner told the Sunday Mail that the part of the regulation which outlines organisations need to ensure the data is processed correctly is likely going to be problematic when it comes to hospitals for instance.
At the moment, patient files are placed in boxes making them difficult to locate, medical records have been lost and it’s no exaggeration to say storage rooms are in a state of disarray.
As such, this certainly doesn’t comply with the regulation which specifies data should be properly handled. Any requests for data in these circumstances will not be a smooth process.
The way to resolve this is to digitise medical records – a long standing request by the commissioner – but that has been studied since 2012, to no avail.
“I know digitisation won’t happen until the national health system is implemented,” Nicolaidou said.
Which leaves things quite a long way off.
The regulation also stipulates any breach of data must be known to those affected and the commissioner within 72 hours – meaning potential hacks should not be hushed down or kept quiet.
Nonetheless, businesses and associations were more concerned with the confusion surrounding GDPR.
Stefanos Koursaris, head of the small shopkeepers’ association Povek said their members didn’t have any formal briefings or information sent out to them by the commissioner and as such were quite confused as to what they should be doing.
Nicolaidou refutes this saying their website had all the necessary details “and I personally did 60 presentations to various organisations,” both public and private.
“Anyone that reached out to us was helped.”
Koursaris concedes that a part of the problem is “the Cypriot mentality. Even things that concern our pocket we have the attitude of sitting back on the couch and sofa.”
The association of data protection – which falls under the wing of Cyprus chamber of commerce – said panic ensued in the last few weeks before the deadline because for two years since the regulation was passed, no one really bothered about GDPR until the last minute.
Even legislation of the 1990s relating to data protection was ignored in Cyprus, the association said, and a lot of the action suddenly seen is largely a result of people realising the risks or being pressured by partner firms abroad to correctly implement GDPR.
According to the EU Commission, seven out of 10 Cypriots feel that they do not have full control of their personal data, while five in 10 say they do not trust companies operating online.
Furthermore, six out of ten Cypriots are concerned about the collection of their personal data through mobile phones and mobile applications.
A total of 60 per cent are concerned that authorities and companies may be using without their consent their personal information for purposes other than those they have been provided for.
Head of the Cyprus consumers union Loucas Aristodimou conceded the picture was a little muddled. “I don’t have a lot of information on this or how it’s being implemented,” he said.
While the internet is full of answers, he said there hadn’t been a lot of workshops where people could be educated.
“I’ve received so many emails I don’t know what to trust. I think some of them might be spams. I was trying to reply to one that I thought was serious and it ended up asking me for my data!”
On a bigger scale, on the very day the regulation came into effect, Austrian privacy campaigner Max Schrems launched lawsuits worth over €7 billion against Facebook and two subsidiaries WhatsApp and Instagram, as well as against Google’s Android operating system.
He accuses them of “coercing” users into accepting their data collection policies and that the consent they are giving is not for the company’s services but for advertising purposes.
Meanwhile, companies based outside the EU such as US news sites including LA Times and the Chicago Tribune were at the time of writing, after the regulation came into effect, unavailable across the union.
A statement on their website read “Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism.”
New York Times and CNN were unaffected while the Washington Post required EU users to agree to new terms.