04 January 2018
Would you be able to pay a fine that’s 4% of your global group turnover? Europe’s new data protection rules are important for service providers across the world, writes Alan Burkitt-Gray
Europe’s new law on
data protection comes into operation on 25 May 2018. If
that’s what you believe, sorry, but
The EU’s General Data Protection Regulation
(GDPR) is already in operation. What happens on 25 May is that
the law becomes enforceable. If what you’re doing
now is against GDPR, you can’t sit it out and hope
to get things right after the end of May.
This is one of the top concerns of Adrian Brookes, director
of solutions engineering at Tata Communications: "A lot of
people are very much in the dark about the dates. It was the
first thing our legal department said: don’t wait
until 25 May."
Neil Coulson, partner at law firm Baker Botts, agrees,
saying: "If you’re doing something now, then
it’s highly likely you’ll be
continuing to do it after 25 May."
Why should you worry? You’re a carrier and all
you do is transmit other people’s calls and data
without looking at it. Not really. If you are doing business in
the EU (including the UK) you will have data on employees and
customers who are EU citizens. That means you are bound by the
GDPR, even if you are in the US, India, China or anywhere
But isn’t in the same as the existing EU data
protection law, with a few extra punishments? Again, not
really. Says Coulson: "Privacy by design is the concept that
GDPR enforces. Now you have to design privacy into your
operations. Any decision that requires personal data needs a
Colt’s new chief information security officer,
Ashish Surti, adds: "What’s new is mandating
privacy by design. That is a strong requirement.
We’re embedding that into the business lifecycle
– for every new product. If we’re making
IT changes and organisational changes, we have to consider GDPR
if any person is being impacted. We have to make sure
Uber data breach
In November 2017 Uber revealed that details of 57 million
customers and 600,000 drivers had been stolen in a data breach
more than a year before. It paid $100,000 to the hacker in 2016
on the promise he or she would delete the data.
Under the new EU law Uber would have to disclose such a
breach to the relevant European national data protection office
within 72 hours. Not three working days, and no allowance for
weekends or public holidays.
The penalties for GDPR breaches will be severe. Valerian
Jenny, counsel at Bird & Bird in Frankfurt, warns: "The
fine is up to €10 million or 2% of turnover. If
it’s a more serious incident, twice
Lee Suker, market development director at XConnect, notes
that there are additional penalties, "compensation for
non-material damage" for people whose data is stolen. "Citizens
are entitled to compensation under the law," he says. "They
don’t have to prove guilt: enterprises have to
Sounds like at opportunity for some class actions by lawyers
for groups who have suffered from breaches. "Anecdotally,
I’m aware of lawyers building such cases," says
That fine is 2% or 4% of a group’s global
annual turnover, not of a divisional turnover, and not of
profit. What does that mean? Uber is still heavily loss-making,
but its latest annual turnover was $6.5 billion, making it
susceptible to a fine of $260 million if GDPR penalties had
been in force. Verizon, which now owns AOL and Yahoo, had a
global turnover in 2016 of $126 billion. If another AOL and
Yahoo data breaches were to occur in June 2018, the potential
penalty could be up to $5 billion.
Verizon may be a classic telco, but its expansion into other
areas mean it is subject to GDPR. And if there
isn’t GDPR, there’s something else on
the horizon in the EU: the E-Privacy Regulation. The EU already
has the E-Privacy Directive, sometimes known at the cookie law.
It’s why in Europe whenever we go on to a new
website we have to consent to cookies on our computer or phone.
The E-Privacy Regulation will strengthen that and it will be
followed by a new Electronic Communications Code.
Ann LaFrance, a partner in the London office of Squire
Patton Boggs, runs the firm’s communications law
practice and co-chairs its global data privacy and
cybersecurity group. "Telcos have will be to deal with the
E-Privacy Regulation being debated in Brussels right now, and
it will take definitions from GDPR," she says. "You will have
to look at the two together – and also at the
Electronic Communications Code. If you are classified as an
electronic communications provider you must get consent."
She warns: "GDPR and the E-Privacy Regulation and the
Electronic Communi-cations Code will apply uniformly across
The EU wanted the E-Privacy Regulation to come into
operation at the same time as GDPR, but things are running
behind schedule. When will it apply? "Maybe the end of 2018,"
says LaFrance. "It’s still
In the current draft, users "must consent to the use of
traffic data or location data". Telcos that want to monetise
data for other purposes must get consent. "It’s
putting telcos in quite a difficult position," she
Suker has perspective on this. XConnect started as a number
portability company for the voice-over-IP market, but is
expanding into new areas. "My role is to move number
information services beyond number portability," he says.
What does this mean? If you run a mobile company that offers
your customers voice over LTE (VoLTE), it’s in
your interest to carry calls in the IP domain wherever you can.
That means finding out if the called number is also
VoLTE-capable. Similarly, if you run an IPX service,
you’ll need to know what the destination is
Take the new rich communications service (RCS) standards. If
a customer sends an RCS message, do you pass it on –
or deliver it – as RCS, or do you drop down to SMS
standard? What about application-to-person (A2P)
To do that, you need information about the subscriber
– including where they are now, what network
they’re on, what sort of phone they have and what
services they subscribe to. That’s personal
information, and is subject to GDPR.
XConnect is positioning itself as a repository of this
information, so it can offer it to mobile operators and
wholesale operators. "The backdrop is abuse of your data and my
data," says Suker. "Go download an app and you have to agree to
a lot, including your location and your contacts. This whole
notion of trans-parency is very disruptive. I want to help
enterprises come to me with rich appli-cations along with A2P
services." So what is XConnect doing? "A lot of education," he
says. He needs to be able to demonstrate that
there’s an audit trail for information at the
point it comes into XConnect, during the company’s
processing of it, and at the point it goes out to a client
What does it mean in real life? Let’s take you,
the Capacity reader, as an example. If you are reading this in
a printed magazine that arrived through the mail, or if
you’re attending one of our events and picked your
copy up there, we have your data – as we do if you
clicked a link in our daily email news or in a mobile app.
That means we, as part of the larger Euromoney Institutional
Investor information and events group, are subject to GDPR for
your data. So I asked our director of information risk, Martyn
Booth, what an enterprise has to do.
"Transparency is one element," he says. "We have to publish
our privacy policies and you should be able to find them on our
websites – with details of where to go if you want to
do something about it."
Personal data has to be encrypted, not just when it comes
into the company and goes out, but internally. "Most people
don’t encrypt in their internal network," says
Booth. "Personal data has to be encrypted."
One of the challenging areas is the right to be forgotten.
"People can ask to be deleted – and that means
permanently," he says. That means everywhere, throughout the
company, including back-up tapes." And there’s
incident management, he adds. "We need to show
we’re capable of managing those issues."
Surti at Colt is acutely aware of the 72-hour reporting rule
when there is an incident. "We need to ensure our crisis
management processes keep to the timeline," he says. "We have a
24/7 operation that we run and if a crisis were to occur we
have to ensure we have the people and the processes to make
sure we comply."
It will be expensive. Brookes says Tata Communications has
"recruited an additional 400 people right throughout the
business", but "security is absolutely paramount".
But he adds: "I would just keep stressing the importance not
because of punitive damages, but because it’s the
sovereignty of people’s data. If you
don’t take it seriously, what does it mean about
your attitude to customer data? It’s your