As of May 2018, the European Union, or EU, has declared that all companies in the Union, as well as those that use the data of EU citizens, must follow its General Data Protection Regulation. This legislation was put into place in the interest of protecting user data and restricting companies' use of it in ways that their consumers were previously not aware of and not consenting to. The law aims to place the control of personal data back into the hands of citizens, where it was previously under the indiscriminate control of companies who had collected it.
N.B. This law affects countries in the EU and in the European Economic Area, or the EEA. The difference between the two concepts is that companies in the EEA are not necessarily members of the EU.
The General Data Protection Regulation (GDPR) is a new set of EU regulations over personal data protection and privacy.
The GPDR replaces the 1995 Data Protection Directive 95/46/EC and addresses the treatment of EU consumers' personally identifiable information (PII). Since the creation of the Data Protection Directive, the complexity of our technological environment has evolved. Data used by modern smart phones and social media are not covered in the 1995 Data Protection Directive.
GDPR sets responsibility and accountability with corporations, defining what companies can and can not do with personal data, requiring data breaches be reported in 72 hours, setting encryption standards, requiring clear consent for consumers, stipulating how long data may be held, and requiring data protection by design and by default. Under GDPR, certain organizations are required to elect a Data Protection Officer. This figure is held accountable for data management at a given organization and serves as a primary point of contact with the regulatory authority. The new requirements have a major impact on how companies communicate with consumers and also how they manage the data they hold.
For EU consumers, GDPR provides control over your personal data. The data considered under the new set of rules include: names, IP addresses (location), pictures, email addresses, home addresses, social media activity, banking information, and medical details. The regulation grants consumers the right to request a copy of their data, the right to opt-out at any time, and the right to request that their personal data be deleted, although the latter is not a universal right.
Compliance with GDPR is enforced by the European Union with the Data Protection Directive. The directive provides the legal infrastructure to support the reform, ensuring consumers’ rights to their data and that infractions are punished.
The regulation is applicable for any organization managing the personal data of EU residents. This includes companies in the United States, and other countries outside of the European Economic Area, with access to European consumers' data.
The 2018 GDPR is a more encompassing regulation that harmonizes rules across the European Union and the European Economic Area. This simplifies the regulatory landscape for companies, decreasing the total costs of compliance. According to some opinions, this could make the EU a more competitive market. (Other analysts predict that this law could prove to be too restrictive and leave the EU behind in the global economy.)
The official text can be found here.
The deadline for the regulation to go into effect was May 25, 2018, however many companies will fail to meet this deadline due to the scope of changes required. The impact of the new regulation has been substantial on some companies' operating models. Tech giants such as Google, Facebook, and Amazon will face considerable challenges around the new reforms.
Since its implementation, the U.S. has seen GDPR greatly affect its operations. As many of its organizations manage EU data, many U.S. companies are obligated to comply with this regulation.
Companies that are not ready to conform to the policies outlined by GDPR, like the Pinterest-owned firm Instapaper, have temporarily blocked access to EU users in order to avoid penalties. Other companies prepared themselves for the arrival of the legislation by putting in place a click-through upon arrival to their sites, inciting users to consent to the use of their personal data.
The new regulation imposes fines for non-compliance, after a warning has been issued for a first offense. Depending on the nature of the offense, the imposable penalty is up to $10 million USD or 4% of global revenue, whichever is higher.
Facebook is the first company under review against its compliance with GDPR and could face a substantial fine. Facebook and other social media platforms, such as Instagram, use pre-selected consent. GDPR requires that the consumer have a clear action to opt-in before sharing personal data.
Facebook states that, in line with the new law, it is transparent with users about how their data is being used and gives them total control over it. Facebook also states that its representatives meet with regulators, policymakers, privacy experts, and academics to ensure compliance with GDPR and similar privacy laws.
Google has a substantial footprint in the European Union and is being investigated for infractions against GDPR. Similar to Facebook, Google uses a pres-selected consent checkbox. If found guilty, the potential fine could reach €4 billion ($5.2 billion USD).
However, Google maintains that it works to be compliant with the law, citing its audit and certification process for third-party sites extracting user data as an example. It also practices "user transparency" and informs users of the ways in which their data is being used for ads; in the event that user data has been breached, Google states that it informs users.
Image: © tanaonte - 123RF.com