Multinationals Google, Adobe and Microsoft say that though they have some reservations, they are ready to implement the EU’s incoming General Data Protection Regulation, during a panel on privacy at the RSA Security Conference here Tuesday.
The GDPR is much broader in scope than its outdated predecessor, the 1995 Data Protection Directive, and allows significant penalties against companies that fail to protect data, such as fines of up to four per cent of annual global turnover.
Brendan Lynch, chief privacy officer at Microsoft, said he didn’t view the new Regulation as bringing about a major change in company data protection policy but “as an incremental step”, because he said Microsoft has already been investing in privacy enhancements for years.
“There’s still detail to work out,” he said. “I don’t want to trivialise it, because it’s big.” Its potential penalties have “those of us managing privacy think[ING] about how we can get more assurance that all our privacy controls are working as they should be,” he acknowledged.
MeMe Rasumussen, vice president, chief privacy officer and associate general counsel at Adobe was more critical.
“It’s written by people who don’t run businesses,” she said.
“What we were hoping for was one law that would apply to all of Europe. We don’t really know what we have. There’s a lot in there that will be open to interpretation by local authorities in different countries, and we’re still waiting for the interpretation from data protection authorities on what certain terms really mean. We’re still uncertain about what it all means.”
Google said that “there always has been and always will be challenges incumbent on multinational businesses offering services” across multiple countries.
“I don’t think we ever deluded ourselves, given our experience in Europe, that there would ever be uniformity,” said Keith Enright, legal director for privacy at Google.
He added that anyone who has ever interacted with Europe’s data protection authorities would know that they have an “absolute focus” on privacy.
“We need to engage with those folks to try to draw out as much rationality as we can,” he said. Google wanted to protect its users as much as possible, he said, and the GDPR “gives us a framework in which to do this”.
He added that Google was making a “significant incremental effort” to demonstrate compliance — through issuing transparency reports and other approaches — rather than just stating the company was compliant, he said.