Companies gear up to comply with the EU’s General Data Protection Regulation.
American tech companies like Google, Facebook, and LinkedIn have recently been sending users a flurry of emails in anticipation of a new regulation that will impact how these companies handle personal data. With a European Union (EU) regulation that sets a higher protection standard for personal data coming into effect this week, companies are reportedly “scrambling” to make sure that their data policies meet the regulation’s requirements
The regulation—known as the General Data Protection Regulation (GDPR)—was adopted by the European Union Parliament in 2016 and will take effect on May 25, 2018. Although the regulation covers all EU member countries, it also binds companies that collect data about EU residents, even if the companies are physically based outside of the EU.
The regulation broadly protects all forms of personal data, such as a user’s name, location, or “one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity” of an individual. Any information that makes an individual “identifiable” may fall under this broad definition. Under the regulation, all companies that handle personal data will be subject to its requirements, regardless of whether they control the data, such as by determining how and why it is used, or simply processing the data.
Most significantly, the GDPR provides EU citizens a slew of new digital rights. Among these are the right to access personal data that has been collected, the right to correct inaccurate personal data, and the right to request that a company erase personal data. EU citizens may also request that companies stop processing information that is used for direct marketing. Users may, for instance, request that a ticketing service company stop using their personal data to send targeted advertisements for upcoming events.
These new rights will be enforced through other provisions of the GDPR that bind data companies. Significantly, the GDPR forbids companies from processing personal data unless they can satisfy at least one lawful basis for collecting the data. For instance, a company may process personal data with an individual’s consent or to complete an online transaction that requires a customer’s credit card information, name, and address. Yet a user may later withdraw consent, in which case the company must erase the personal data that it has collected unless the data may be processed on another lawful basis.
Furthermore, companies must be transparent about the purposes for which they are collecting personal data, gather only the data that are required for the stated purpose, and limit the time during which the collected data are stored. In the event of a breach, companies are required to report the loss of personal data within 72 hours to a supervisory authority and inform affected individuals of the incident if the breach poses a high risk of harm.
A breach of the GDPR can carry fines of up to €20 million, or 4 percent of worldwide annual revenue—whichever is greater. This risk of substantial penalties makes the GDPR much more stringent than current law, which has left fines to the discretion of individual countries.
Despite the new regulation’s potential stringency, government officials like Elizabeth Denham, the U.K. Information Commissioner at the Information Commissioner’s Office, have reportedly said that fears about fines are overstated and that there is little risk that governments will “be making early examples of organizations that breach the law.” According to Denham, the GDPR represents an “evolution, not a revolution” in data privacy. In the United Kingdom, a pending Data Protection Bill would, if passed, ensure that the GDPR is implemented in the face of Brexit.
Although companies are updating their information collection practices in advance of the GDPR’s effective date, it remains unclear whether the regulation will protect only EU residents or serve as a de facto new global standard for data protection. In the case of Facebook, which has recently weathered controversies and congressional hearings about its data practices, the company has indicated that it will offer new privacy protections to all its users, even if they reside outside the EU.
LinkedIn has also reportedly stated that it will change its terms of service so that non-European users will have contracts with its U.S.-based entity, while users not in the United States will have contracts with its Ireland-based entity. This change will likely limit the company’s legal liability for potential violations of the GDPR.
The GDPR comes at a time when public trust in online platforms and data companies seems to be shifting. According to a recent study by the Pew Research Center, only 9 percent of Americans are “very confident” that social media sites will protect their personal data. Two-thirds of Americans believe that existing laws do not sufficiently protect individual privacy.
With the development of the GDPR in Europe, it remains unclear whether American legislation will similarly catch up with changing public opinion on data privacy.