CRI听力:General data protection regulation brings challenges for companies

A new European Union regulation on the protection of online data is set to take effect this week.

But the General Data Protection Regulation or GDPR – while good for people online – may also pose a challenge for internet companies.

The regulation is said to be a drastic transformation of EU privacy laws.

The new policy imposes several new requirements on companies when it comes to reporting data breaches, as well as how companies store, protect and transfer personal data.

It also gives additional rights to people who have shared personal data with internet companies.

Ann LaFrance is a partner of the international law firm Squire Patton Boggs.

Her practice focuses on cyber security.

LaFrance says the new rules are going to be a challenge for internet firms in Europe.

"You (the companies) need to have done an awful lot of work, including creating what we call records of processing, meaning all the types of data you collect from whom to whom, with whom you share it with. All of that has to be kept in a record of processing data map. You need to make sure that you've put that in notice, and you also need to put into place an agreement with vendors that you are sharing the data with or outsourcing with very specific requirements that they are set out now in the GDPR that govern the relationships that you have with third party, cloud providers, hosting providers and other service providers that you share data with or transfer data to."

Under the new rules, companies will need explicit consent from users to share their data with third parties.

It also gives users the right to know what personal information the companies are holding, and gives them the right to have information deleted if they so desire.

EU General Data Protection Regulation was originally adopted by EU member states in May 2016.

At that time, the EU gave companies two years to prepare.

Ann LaFrance says the new rules apply to any company - regardless of size - which hosts a user's personal information.

"Under the GDPR, if you are established in the EU, so if a Chinese company has an affiliate in the EU then that's clearly covered. But then even if you are a company that's totally on the internet, and not established in the EU, but you are selling services, or products to citizens in the EU or residents of the EU, or if you are monitoring their behavior while they are in the EU…you know, possibly even putting the website in various European languages…these would be subject to the GDPR directly."

For those companies targeting consumers or B-to-B companies based outside the EU, they have to establish a representative office or dispatch a representative to the European Union to be responsible for complaints and requests from both users and regulators.

Any company caught breaching these new regulations will be hit with fines of up to 20 million euros, or 4 percent of the company's global turnover.