GDPR is Here But, What Does it Really Mean for Satellite?
The satellite industry is so laden with abbreviations and acronyms that, from space-geek talk and technical terms that are better left unexpanded, to terms that are commonly used in everyday business, it all seems like Greek to an industry outsider. Now, there is one more acronym to add to the alphabet soup thanks to the European Union (EU).
The GDPR, or General Data Protection Regulation 2016/679, is a directive in EU law on data protection and privacy for all individuals within the EU and the European Economic Area (EEA). It also extends to the export of personal data outside the EU and EEA. More than understanding the words behind this new acronym, industry players need to understand how GDPR applies within the context of satellite. What does it mean, what actions and changes does it bring, and what are the risks?
The GDPR, which became enforceable last week, is designed to give individuals more control over their personal data, and the way organizations process and store data on their behalf. Under the GDPR, all companies collecting or processing EU citizens’ and residents’ personal data must have an inventory in place, demonstrating compliance with data protection principles. These companies are responsible for:
- obtaining consent from individuals about whom they hold or collect information, demonstrating a positive opt-in;
- allowing those individuals to transfer their personal data between service providers more easily;
- providing any information held about an individual to the individual, within one month of their request;
- anonymizing and protecting personal data;
- notifying the supervising authority of any breach within 72 hours, as well as all data subjects whose rights or freedoms were put at risk by the breach; and,
- under certain circumstances, erasing personal data upon the individual’s request.
There are additional requirements for companies with more than 250 employees as well as any company collecting or processing sensitive personal data, such as revealing a subject’s genetic data, health, racial or ethnic origin, or religious beliefs. Infringement of certain articles of the GDPR can carry potential maximum fines of up to 20 million euros ($23.4 million), or 4 percent of total global revenue of the preceding year — whichever is greater — and can cause lasting reputational damage, according to Joanne Wheeler, director at Alden, advisers for the satellite, space, telecommunications and applications industries.
“As of May 25, the obligations introduced by the GDPR will apply to a company in the satellite industry in the same way as the regulations will apply to companies in other sectors, as long as the company is EU-based, or is non-EU based but processes an EU resident’s personal data in connection with goods or services being offered to that resident,” says Wheeler, noting that the GDPR does not apply to institutions such as the European Commission or European Global Navigation Satellite Systems Agency. “In these cases,” she explains, “the processing of personal information is governed by a different regulation: Regulation (EC) 45/2001. International intergovernmental organizations such as the European Space Agency (ESA) are not subject to EU law, including the GDPR. However, ESA has its own internal personal data policy relating to the processing and control of personal data which shares similarities to the wording of the GDPR.”
Who in Satellite is Impacted?
Within the satellite industry, the GDPR will have an impact on Direct-to-Home (DTH) broadcasting, satellite telecommunications services and geolocation services, says Wheeler. In DTH, the impact is in the use of personal data, as defined in Article 4 GDPR, by TV operators in relation to viewers, and the obligation of operators to inform viewers or subscribers of how their data is collected, stored and processed. Regarding satellite telecommunications services, it is in relation to the flow of data, while the GDPR affects geolocation services and associated data such as personal addresses.
“Satellite services which involve the processing of personal data for national security services may fall outside the scope of the GDPR,” notes Wheeler.
The main challenge facing the satellite industry, similarly with other industries, is compliance, explains Wheeler. “This includes ensuring that the processing of data throughout the EU, irrespective of whether the satellite operator or company is EU-based or not, is in line with the new regulatory requirements,” she adds.
One of the purposes of the GDPR was to give data subjects more control over how their data is used and to make companies processing this data more accountable. “This means that companies must be very clear about identifying data subjects, communicating to them the purpose of the data processing and seeking their consent to have their personal data processed,” concludes Wheeler.