Is GDPR Affecting VPN Providers? - What's There to Know?February 28, 2019
Privacy, online security, personal data... All of these have a major interest in the last couple of years. The year 2018 represented a spike in this interest, because of the new law called GDPR for short.
This law affects Europe mainly; I say “mainly” because even though it’s a European law, many global companies are affected by it also. This also includes VPN providers. Let’s see how exactly does the GDPR affect VPN providers.
To help you better understand the subject, we’ll start by explaining how does GDPR work. Then we’ll cover a few VPN benefits. After which we can put together the correlation between VPN software and GDPR.
As I said, GDPR is just an acronym. It stands for General Data Protection Regulation. It is a law that came into effect on the 25th of May 2018. Before that, companies had to prepare for the new law with various changes and preparations.
This regulation concerns data privacy, and it applies to all of the countries members of the Europe Union. Don’t think that before this regulation there weren’t laws concerning data privacy; there were, but they weren’t as powerful as this one. Nor expensive as this one.
GDPR punishes companies that don’t apply it with a fine of 20 million dollars or 4% of the company’s turnover. Let’s be clear, per violation. It’s a lot of money.
The sad part is that many companies didn’t change the way they handle data before 25th of May 2018. Most (Some) of them thought that this law wouldn’t actually be applied, or that it isn’t that serious.
Jokes on them, because being a regulation applied to the whole European Union, it’s really serious, along with the fines.
Of course, being a small company means that you’re not in the radar, as to say. But here comes the consumer’s power: he is the one that can file a report on you if he considers that something isn’t right.
GDPR - it’s a regulation (I emphasize this because being a regulation means that it came into effect immediately, and no country had to set up a bunch of laws regarding it; it’s the same regulation for each country, meaning that it can be easily understood and applied everywhere).
This regulation gave more power to the consumer. They now have a bunch of rights that companies must respect. It was created in order to make companies be more transparent regarding how they use their consumers’ data.
Before we delve into the consumers’ right, let me help you with some definitions:
Personal Data - Every piece of information that can be related to an individual. This includes IP addresses, name, identification data, cookie identifier, and more.
Each consumer now has the right to be informed about how the company processes his personal data. The most basic example is this:
Before this regulation, websites that collected email addresses for various purposes didn’t have to specify exactly those purposes. Most of the time, there was just one checkbox saying “I’ve read and accepted the Terms and Conditions” or another one with “I want to subscribe to the newsletter”.
This meant that you could give your email, check those boxes, and then find your inbox full of emails, and offers and so on.
Now, companies have to clearly specify the purpose of gathering data. It is best to write clearly how many times will you send a newsletter. In case you offer different categories of newsletters, you should let the user choose the exact one(s) that he would like to read.
MailChimp offers this great feature for those who use their services, meaning that you have the possibility to create a complete and transparent “Subscribe to our newsletter” page. You will always keep your subscribers happy, by sending them only the content that they chose.
There are a lot more situations regarding this right to be informed. The whole idea is to let the consumer know what exactly are you doing with the data he provides.
That is why you should also create a whole separate website page (Confidentiality Policy) where you will have to write everything down, for people to read it.
Let’s not forget about the cookie identifiers. I truly appreciate those websites who managed to add a complete section (pop-up) that requires each new consumer to chose the cookie they want to provide. They can’t opt out of the necessary ones, but they can choose (or not) the cookies for the following purposes: marketing, preferences, and statistics.
The customers have the right to request their data, and you have the obligation to give them. The period of time in which you are obligated to do this is one month after their written or verbal request.
If you don’t comply, they can report you, and an authority will come to check you out.
The consumer is entitled to request a confirmation that you are processing its data, a copy of their personal data and/or other information regarding the data processing.
This request can come in any form, from whatever communication channel. But you can make things easier by creating a special email address just for the personal data issues/questions.
Consumers have the right to request you to correct the personal data that you have about them if they somehow know or find out that the set of data contains mistakes.
Of course, as long as you’re processing personal data, you are also obligated to erase every single trace of it. The consumer has the right to ask you to do this.
Same as in the other rights’ cases, you have one month to fulfill this request. Still, you have to remember that there are some valid cases when you can and should refuse to fulfill the request.
Such cases are: if the data is involved in legal trials if it is being in a task that’s carried out in the public interest if you’re legally required to archive data, and similar other situations.
Similar to the previous right, the consumer has the right to ask you to stop processing their personal data. This means that you’ll be able to store the data, but you’ll not be able to use it anymore.
Of course, there are situations when this can be applied, and situations when it can’t.
In case the consumer wants to change the company (let’s say if he wants to change Verizon for T-Mobile), he has the right to ask Verizon to send T-Mobile a full copy of the data.
This minimizes the whole work done by the consumer, to explain the new provider all about his personal data.
Keep in mind that for your own company's good, you should store all the personal data in one place. Organize it and make sure that you’ll be able to fulfill any request, at any time. Don’t put yourself into the position of saving the data in multiple places, and then forgetting to access a particular folder.
There are a lot of aspects that you should know what are the consumers’ rights in terms of GDPR and how can you prepare for them and act. You can visit the Information Commissioner’s Office and read the detailed guide to GDPR.
Most of the internet providers can see what you’re looking for online. Even if you go incognito, even if you are using the cable instead of the wireless connection.
Your laptop has an IP that is basically visible whenever your browsing online. Because browsing means requesting and receiving data. If you use a VPN, your IP and other data will be encrypted. After it “gets out” of the VPN server, the data is decrypted, but your Internet Service Provider won’t be able to trace you back.
For the all the details on how does a VPN work, there’s a full article on our blog that I advise you to read.
In terms of real-life benefits, let me mention some of them:
Hotel security – you’ll be able to use those unprotected hotel wifis, which are so vulnerable.
Use those public Wifi networks – in case you’re traveling, or in case you simply remained without data on your smartphone, you’ll still be protected. You’ll be able to use and public wifi, which will help you to stay in touch with your friends and family.
Make payments and check your bank account through any wifi - in case you need to make a payment, better use a VPN. This will protect your data from being stolen.
Browse any website in the world – did you know that Staples.com doesn’t work in Romania? Well, I’ve been able to access it by using a VPN. And so can you - using a VPN will help you access websites that are not available in your area.
Watch movies and tv-series that are not available in your country – the common example is Netflix, that offers different content for different countries. Still, the catch is that you should verify if the VPN software isn’t banned by Netflix. Because yes, this happens.
Either way, you should use a VPN at all times, in order to fully maintain your online security (link la mine)
Definitely. VPN providers, even though they aid online privacy, aren’t exempt from the GDPR regulation.
Most software and VPN apps ask you to subscribe for different plans, hence they have to create accounts. Taking this into consideration, this means that VPN providers are in the same circle as the other companies: they have to be able to respond to their users’ rights.
Besides these, they should also thoroughly secure all of their data. Any breach in their security has to be reported no longer than 72h (starting the moment when an employee or the designated person found out about the breach).
VPN software companies should also inform their users about the specific breach, and offer them a full report on what personal data was in that situation. They can also give individual notices, with the exact personal data.
If we think of a VPN provider as more than just a company, we will see that they also have other aspects in which GDPR affects them.
Why do I say this? Well, as I said, GDPR is focused mainly on the European Union. This means that countries outside EU or Europe can actually restrict their usage, just becaus they don’t want to deal with that regulation.
So the Europeans can face some problems accessing various foreign content. This is where they can learn about a VPN (if they haven’t by that point) and start using one.
This means that the previous market for VPN providers just expanded with other criteria: do they want to access content that’s banned in Europe?
To begin with, there are two types of logs that VPN providers keep (sometimes, both): activity logs and connection logs.
The connection logs refer to data that needs to be collected in order to keep your whole account connection possible. What does this include? Well, what do you need in order to have an account on a website?
- Payment method (in case they offer paid subscriptions)
These data, even though personal data, must be kept at least as long as you have an active account. The company/website has to be able to help you in case you’re in aid. Otherwise, they wouldn’t know how to communicate with you, what type of account you have, and how can they find a solution to whatever your problem is.
Then comes the activity logs. As the name implies, they are related to your activity. Not the physical one, from home, but the virtual one: what are you doing while connected to the VPN.
This does sound kind of a antithetic situation. You’re using a VPN in order to keep your online activity private, but the VPN keeps log of that activity, to which it has access to.
Before you start blaming here and there, you must know that VPN providers don’t love keeping these kinds of logs. It’s a burden for them. The government is the one that makes them do this. In some countries, like the US, VPN providers do keep activity logs, just because they don’t want to deal with any kind of fines, lawsuits or penalties. You have to understand, and not blame them.
This “activity logs keeping” has become an issue even before the GDPR regulation. Exactly because users thought that their privacy wasn’t that private. They started looking for VPN software that were specifying that they don’t keep logs. But the sad part was that there existed VPN which falsely claimed they don’t keep logs, hence the users were tricked.
With the GDPR regulation, VPN providers will no longer lie about their logs. If they say they don’t keep logs, they actually don’t. Because if they continue with false statements, they can be easily held accountable. GDPR stands for transparency and doesn’t tolerate lies like this.
There’s this question: If the VPN provider is US based, but it also uses European servers, does this mean that the GDPR will apply to it if needed?
The current explanation (at the time this article was written) is this: as long as the US (or another country outside EU) VPN provider doesn’t comply with GDPR, then the single fact that users can connect to European IPs doesn’t mean that the regulation can be applied.
Of course, now comes into discussion the traffic and the whole market area to which the US VPN providers offer its services. Just as Facebook does (though this is a more complex situation), the US provider should comply with GDPR. Either it creates some special rights for the EU users or it can simply abide to GDPR (for every user, because I believe it can be simpler to implement; harder to maintain, though).
To conclude, the GDPR regulation is not a joke. It truly helps the transparency between companies and users, being more in favor of the users, rather than for the company.
A VPN provider is just another type of company that has to comply with GDPR. As a company from the user’s point of view, they need to make sure that their users fully understand how their personal data is being used.
As a company from its own perspective, they will benefit from the fact that they have a bigger market to sell to. Also, they will have to tell the truth about activity logs, which is, indeed a “benefit” directed more towards the user; they can now trust the VPN provider when it says that they don’t keep logs.