In today’s convenience-based economy, more and more people are buying goods and services online. Every time you shop, you leave a digital footprint. Over time, these footprints accumulate in cyberspace and together, they can be used to establish your identity. In this context, the protection of personal data and privacy are integral guarantors of the protection of human rights in e-commerce.
Protecting personal data and the right to privacy
The main legislation governing data protection in the EU is the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 General Data Protection Regulation (GDPR) which has applied across all EU Member States since May 25, 2018. The GDPR was adopted with the view of harmonizing data protection regulations across the EU. For any company involved in e-commerce, it is important to be familiar with these new obligations and to devote enough time to compliance.
According to the GDPR, personal data is understood as any information relating to an identifiable natural person (data subject). An identifiable natural person, or data subject, is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Does the GDPR reach beyond the EU?
In respect to e-commerce and personal data it is worth noting that GDPR outlines a set of progressive rules that consider specific aspects of personal data processing in the digital space. Article 3 specifies that the GPDR applies to the processing of personal data regardless of whether the processing takes place in the EU or not.
Beyond that, there are two situations in which the GDPR applies to processing by a controller or processor that is not based in the EU: first, if the controller or processor offers goods and services to individuals in the EU, and second, if it monitors individuals in the EU. Such entities must comply with the GDPR. For example, they will need to appoint a representative in the EU, who will represent the controller or processor with regard to their respective obligations under the GDPR.
These two cases of the extra-territorial effect of GDPR require further clarification. The controller or processor would be deemed as offering goods and services in the EU if it clearly intends to offer such services in one or more EU member states. Such an intention could be proved by the use of an EU-based language or currency on the e-commerce site, the possibility for EU-based customers to order goods and services, or the mentioning of customers or users who are based in the EU. Thus the accessibility of the controller’s or processor’s website, email address and other contact details in the EU alone are not sufficient to determine intent.
The definition of monitoring is also quite broad, but in the context of the GDPR, it could be interpreted as the use of various technical mechanisms to collect and analyze data to profile an individual. In light of the popularity of profiling, a large number of companies which do business online will thus fall within the scope of the GDPR.
Privacy and the impact on profiling
In order to recognize an activity as profiling three basic elements must be determined:
- It uses an automated form of processing;
- It includes the use of personal data;
- The aim of the activity is to evaluate certain personal aspects relating to a natural person, to analyze or predict aspects concerning that natural person’s performance at work, health, personal preferences, interests, location or movements.
Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or other significant effects concerning them. Individuals must also be informed about profiling activities and have the right not to be the subject of such activities.
One more right of individuals that you should take into consideration is the right to data portability. It means that individuals have the right to receive their personal data that they previously provided in a commonly used and machine-readable format. However there is a limitation on this right, because it only applies if the processing of the personal data was based on consent or on a contract.
A compliance challenge
Data protection and privacy are among the most controversial and challenging issues of our time. For companies operating in the e-commerce sector – and indeed all companies operating in today’s digital economy, compliance with the GDPR must be a top priority.
Personal data protection in Russia
The regulation of personal data in Russia is similar to the GDPR in many aspects: Russian personal data legislation also applies to operators regardless of whether or not they have local representation in Russia if they have a website that targets a Russian audience. The ‘localization amendment’ is therefore rather impactful as it establishes an obligation on the localization of personal data of Russian citizens in Russia. However Russian regulations use slightly different criteria for determining which foreign operators acting through a website comply with Russian personal data legislation. Foreign operators are determined as those who:
- Use a Russian-related domain name and/or a genuine Russian version of the website; or
- Include additional criteria which indicate “explicit evidence that the owner of the website intends to include the Russian market in its business strategy”. This could be through the use of ruble payments, the delivery of goods to Russia, and/or the use of Russian advertising to lead to the website, etc.