How Will the EU’s New Data Protection Rules Impact Translation Services?
David Kennedy and Lawrence Fahrenholz consider the issues related to translation you will need to address when the EU’s new rules governing data protection come into force
Have you recently taken the time to look over those NDA agreements you have signed in which you provide an undertaking to keep confidential personal data and other sensitive information? There are a number of issues regarding the handling of documents for translation purposes that also require consideration to ensure compliance with EU legislation.
The adoption of the EU data protection reform package in the form of the General Data Protection Regulation (GDPR), which EU Member States must transpose into national law by 2018, will result in the imposition of more stringent rules on the use, storage and transmission of personal data.
Companies will only be able to store personal data on individuals with those individuals’ express prior consent. People will have the right to request disclosure of the personal data that companies collect about them and will also have the right to demand that their personal data is erased. This has significant implications for how users of translation services should go about procuring such services from language service providers (“LSPs”).
Before outsourcing translation projects and dispatching project documents containing personal information, including names and contact details, you first need to ensure that the LSP operates in a member state that has signed up to the GDPR and complies with all the relevant regulations. The assurances your LSP gives about data security must also include a guarantee that their servers are located in jurisdictions which comply with the provisions of the GDPR. It should also be borne in mind that because a lot of translation work that is contracted out to an LSP is then sub-contracted to external translation providers, you may need an assurance that the LSP’s impose the same statutory compliance obligations on any freelance translation suppliers (operating in the EU or within so-called “safe harbours” which meet GDPR requirements). According to Pawel Walentynowicz of Lingosec: “While collaborating with professional Language Service Providers you might assume that the data confidentiality problem does not exist anymore. However, LSP often lose control over your text after sending it to the individual translator”. Lingosec’s solution is to offer software which renders the data anonymous.
Notwithstanding Brexit, most companies, including LSPs, will be unable to bypass compliance requirements, especially if they work with translators based in the European Union. Europe Computer Weekly alludes to the fact that “GDPR is (relevant) whether the data you handle is about EU individuals or has the potential to identify individuals that find themselves in the EU – not about whether your company is in the EU“. In essence this means that unless your company is going to keep two sets of records, namely both EU and non-EU, effectively British or American companies which have any dealings with EU citizens will have to comply with the new legislation. So where does that leave LSPs?
Serious LSPs will be prepared
A key differentiator between LSPs that outsource translations of texts containing sensitive data is whether, like Lacrosse, they provide their translators with a secure server-based environment in which to work or whether they simply forward sensitive files to insecure email addresses, such as free web-based email services, for downloading and local storage by the freelance translators who are to translate the texts. Our legal-sector clients and large consulting firms already insist on NDAs being signed by all parties involved in translation projects –proofreaders, terminologists, project managers as well as translators. This has been standard practice at Lacrosse for many years. Projects may also be subject to additional requirements such as the obligation to destroy confidential information upon completion of a project.
What about machine translation?
LSPs tend to be critical of Google Translate, a machine translation (MT) service developed by Google, which a lot of people use simply to help them get the gist of a text drafted in a foreign language. While Google maintains that it is committed to ensuring full compliance with the GDPR by the time it enters into force and has already made great progress this regard, it remains to be seen whether Google will limit its liability and in effect places an even greater onus on users to demonstrate that they are handling information correctly in a manner that is compliant with the relevant regulations while holding them directly liable for uploading prohibited material. The following passage taken from
the Google Translate Terms of Service, which people generally skip over without reading, merits particular attention in this regard:
“Some of our Services allow you to upload, submit, store, send or receive content. You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours.
When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.”
Given the power Google has over such texts, a company which uploads a sensitive file to Google Translate may be in breach of its own privacy commitments..
Mitigating potential risks
First and foremost, avoid using free/open-source machine translation engines such as Google or Microsoft Translate at all costs, especially if your file contains sensitive data. Instead, invest in a commercial service for your internal server, which has T&Cs you feel comfortable with: SOL, KantanMT, Tilde, CrossLang just to name a few, may be worth a look, though there are a wide range of services available, each with its own advantages and limitations.
In practice, the customers of advanced MT engines tend not to be end users. LSPs are more likely to be MT users, especially companies that specialise in very large localization projects for texts such as product catalogues, e-commerce platforms or user manuals.
Specialists for specialist texts
MT has severe limitations and should not be used for legal, corporate communications or marketing content. It is far more advisable to go through a specialist LSP which has translation management software and CAT tools at its disposal, with specialist client-specific translation memories and human and automated quality control features. Be sure to ask potential translation suppliers about their data security infrastructure, working practice and usage policies, how they use their CAT tools and whether the files for translation leave their servers, how secure and up-to-date their servers are, and whether they sign NDAs with their freelance suppliers?
At Lacrosse, we will gladly provide you with information on our own data security arrangements and we will ensure that we are fully compliant with all currently applicable data protection regulations. We are also able to accommodate flexible working arrangements should, for example, all work need to be performed on your company servers in line with company policy. As the implementation of the GDPR draws closer, expect a flurry of legal debate over the next six months or so during the lead-up phase. However, what we should bear in mind is that the legislation will be there to protect our privacy as individuals in an increasingly digital, networked world and, as such, we should welcome its implementation, even if the process may mean having to tackle numerous challenges along the road leading to compliance.