GlobalSign Blog

08 Jun 2018

What GDPR Means for VPN Providers (and Users)

Everyone’s been talking about GDPR. By now, most of us know what GDPR is, and how it will affect and ideally protect, the data and privacy of end users. But the entire episode is also connected to multiple online industries that survive on users’ data. Let’s dive right in and take a look in detail at GDPR, its implications, and its effects on these online industries, specifically Virtual Private Network (VPN) providers.

What is GDPR and How Does It Protect Internet Users?

The General Data Protection Regulation, which is most often referred to with its abbreviation GDPR, has an ongoing history of at least seven years. The European Union realized that the existing laws that govern the online spaces were outdated, and that they needed updating so as to better protect and regulate the interests of governments and civilians at the same time.

GDPR went into effect May 25, 2018 and affects all organizations that store, log, or share, personal information of any user living in Europe. If any company fails to meet the requirements, it may be penalized with fines that can be as high as 20 million Euros.

The new regulation makes it necessary for all companies having European users to enable users to opt out of sharing their personal data if they don’t want to. Furthermore, if there is a breach of information discovered in the company, it would need to inform its users and customers within 72 hours of the first discovery of the breach.

Under GDPR, every user needs to be able to download all the data they have shared online from all the websites or platforms that they use. They would also be able to edit, manage or delete any of the data they want to. This option aims at taking control away from large firms and corporations and giving it to the users.

Moreover, special consideration shall be given to children as they are generally more vulnerable to the online threats due to their lack of awareness. This involves getting parental consent for providing services to any child below 16 years of age.

Why Do VPN Providers Need to Be GDPR Compliant?

As stated above, any organization that holds data of European users must comply with GDPR and this obviously includes VPN providers. However, the main debate related to VPNs, GDPR, and privacy of users is that VPNs are thought to be keeping logs of all user data that goes through their servers. It’s surprisingly true for the VPNs that are operating from countries such as Dubai, China, or even US, as the regional cyber-laws of those countries make it mandatory for VPN providers to keep logs of their users online activities.

What Are VPN Logs?

Every VPN needs logs. Without logs, it would become impossible for VPN providers to keep a record of their users and provide them with relevant services. However, what makes logs controversial, is that there are two types - activity logs and connection logs.

The connection logs are simple user details that users provide themselves when they sign up for a VPN service. This includes their name, email address to keep them updated with the latest offering or to help them in resetting their password in case they forget it and their preferred payment method for their subscription activation. All of these pieces of information are provided by the users themselves, with consent. Moreover, without this information, no premium service can function.

The second type is the activity logs. As the name says, every activity that you do online gets logged by your VPN provider. Such logs defeat the purpose of subscribing to a VPN service for privacy, security and anonymity.

It is worth nothing that no VPN likes to keep activity logs. However, they are compelled to do so by the governments and regional monitoring authorities they work under. For example, VPN providers that operate from within the US keep logs and produce them upon request to avoid wasting their time and money because failure to do so can cause them to face lawsuits and penalties.

The Connection between VPN Logs and GDPR

Previously, keeping these types of activity logs was a burden for VPNs. It made VPNs lose their credibility to say they provide online security and anonymity, while at the same time invade their user’s privacy themselves by maintaining logs of their activities.

Users concerned about their privacy and security have long wanted to subscribe only to VPNs that kept no logs. And while virtually everyone said that their VPN was log-less, many were involved in false marketing. With the GDPR now taking effect, things are changing for good. It is indeed a moment of celebration for not only VPN providers, but every company and user concerned about the importance of online privacy and security.

VPN providers couldn’t have been happier. Even though everyone claims that they keep no logs at all, very few have been able to do so. With the new GDPR, users can trust their VPN providers once again and take their word to be true and accurate.

Now, when VPNs say that they won’t keep any logs, they actually won’t. Because now if they go against their claim, they will be held accountable for it, and subjected to penalties and fines under GDPR. Moreover, for any user information that a VPN wants to share with anyone, prior consent from the particular individual would be needed before any information is shared. It’s also worth noting that whatever user information any VPN is holding on to, users now have the control to view, edit and delete it at any time.

How to Get GDPR Protection Outside the EU Using a VPN

There are VPNs that operate in many countries, including those in Europe, which are only partially amending their privacy policy, allowing only European users to take advantage of the GDPR and the protection it aims to provide to its users. Some VPNs, that are being operated from within Europe have no option but to comply with GDPR for every service that they are providing to anyone, living anywhere in the world.

There is another category though, which many VPN providers are willingly joining. It includes VPN providers that are not based in Europe, are not bound in any way to comply with GDPR, but they are still revamping their privacy policy and becoming GDPR compliant so as to win the trust of their users and take any steps possible to better protect and secure their users from all online malice.

Users who are interested in getting GDPR protection, but are not physically located in Europe can opt for VPNs that are revamping their privacy policy, making it compliant with GDPR.

Some VPNs that Comply with GDPR

Many VPNs have taken the leap of faith already, while some are still on the way. Here is a list of VPNs that have already become GDPR compliant. These VPNs have become GDPR compliant in a bid to remain operative in the EU. However, keeping in mind the security and privacy of all of their users (even the ones who live outside EU) they have adopted the new policy and implemented it not only in the EU but across the world.

Wrapping This Up: Final Word

In my opinion, GDPR is a great step that’s been taken towards making the internet a safe place for humans from all walks of life. It helps ensure ultimate privacy and security for personal information of all users, irrespective of their usage of the internet. Not only that, it also regulates online utilities and services, and controls the amount of data they can use and share.

It is important for all netizens to understand the importance of GDPR and promote and support companies that are adopting the new regulations. The more support we provide to the companies leading and taking the first steps, the more impact it will create by starting a trend for others to follow.

About the Author

Anas Baig is a cybersecurity journalist by profession with a profound interest in online privacy, security and IoT. Follow him on Twitter @anasbaigdm, or email him directly by clicking here.

Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign.

Share this Post

Write for Us

Apply Now

Subscribe to our Blog