Almost four years ago, the highest court in the European Union (EU)1 ruled that citizens of member countries had a “right to be forgotten”. Of course, that ruling left some holes and more than a few questions. But it did trigger some increasingly public conversations around the general topic of privacy and personal data.
That discussion, paired with some massive data breeches at high profile companies, led the EU Parliament to create a new set of laws2 dealing with data security and privacy. Those rules, the General Data Protection Regulations (GDPR), will become effective in the EU beginning in May.
In general, the GDPR sets strict guidelines for the kind of data that can be collected from individuals by companies and organizations, and how that data can be used. That data includes anything that can be used to specifically identify a person (including social media posts, location info, photographs, etc.), as well as not so obviously personal information like race, religion, and politics.
GDPR also requires companies to obtain more specific consent from the user as well as explaining more clearly how their data will be used. Specifically excluded is vague language like “Improving users’ experience”, “marketing purposes”, or “future research”. Companies must also make it easy for users to withdraw their consent and are then required to delete the material they’ve collected.
So what has any of this got to do with those of us not living in Europe? Plenty.
While the regulations are specific to the member countries of the EU, most of what I’ve read about them suggest that all of us in the US, and elsewhere in the world, will likely be affected by them.
The law applies to any company or organization that does business in the EU member countries and collects personal data from their citizens. That includes many based in the US, familiar names like Facebook, Google, Microsoft, Apple, and more. Since most multinational corporations shuffle information around the world, it’s very likely that they will need to adapt their data handling practices everywhere, not just in Europe.
Plus the law also also provides for some pretty hefty penalties for misusing or failure to secure the data, including fines of up to €20 million or 4% of “global turnover”, whichever is larger. To put that in some perspective €20m (about $24m US at the moment) is pocket change for Facebook. 4% of their total income is not.
I know, all of this is pretty geeky stuff.
However, it’s also important if you’re concerned about the data most companies are already collecting about you and others. If you’re interested in more details of the GDPR in basic, non-legal language, check out this rough guide to GDPR and/or this short summary directed at US corporations.
Of course, the EU laws are not perfect. There will likely be much confusion when they take effect, and when the first law suits follow not long after. It will be interesting to see whether the big data collectors will be forced to change their behavior. Or will they just find new ways to continue their current practices? After all, our information is the foundation of their massive profits.
Beyond that, there’s also the larger question of whether the US should implement similar laws? It’s not likely to happen in this political climate, with political “leaders” who claim that the “free market” will protect us all. But maybe some outside pressure on US-based companies may effect some need change.
The map is from the BBC, showing the current configuration of the European Union. Of course, their home country, the United Kingdom, is in the process of a very contentious “Brexit” from the EU, so that map could change in 2019. In more than one way if the people of Scotland and Northern Ireland make some hard decisions.
1. Very tangential side note: I love that the official anthem of the EU is based on Beethoven’s “Ode to Joy”. Certainly more uplifting music than the militaristic tones of most national anthems.
2. In some of what I’ve read, experts says that GDPR isn’t so much “new” law as it is a clarification of many different data and privacy regulations that are already on the books, combined with court rulings. Either way, GDPR is likely going to change the way companies do business in the EU, and possibly elsewhere.