If you’re a person on the internet, you’ve probably been getting a lot of emails from companies about privacy updates, all related to a new law that just went into effect in the European Union: the General Data Protection Regulation, known as the GDPR.
Even though the GDPR is a European law, there’s a big impact here in the United States. Confused? Here are five things you need to know about the GDPR, starting with the basics.
1. What is the GDPR?
It’s a set of data privacy laws that was approved by the European Parliament in 2016, and after a two-year transition period, it’s now law. It affects any company that handles the personal information of anyone in Europe, and that means any company that does business in Europe, even if it’s based in the United States or somewhere else in the world.
It’s much stronger than privacy regulations in the United States. It basically says that companies have to get explicit permission to collect and use your data, and that they have to let you see what they’re storing and allow you to remove it. If you’re in the EU, that is. There are some other specifics in there about letting people take their data to other services and notifying authorities if there’s a hack affecting personal data, but it’s really ultimately about consumer control of the personal information that companies collect.
2. Why is the EU putting new regulations in place (and why isn’t the United States)?
The EU, being made up of lots of different countries, has a lot of rules around privacy and data collection and how data should be stored by companies not based in Europe. So really simply, the GDPR is an attempt to create one set of rules that everyone can follow, and it happens to enact the most consumer-friendly set.
The United States essentially has no federal privacy regulations around data collection, use and notification. The difference is really cultural; privacy is considered a human right in Europe, and of course, it’s a much more regulation-friendly environment. American citizens have a lot less concern about trading information for free goods or services, like email, maps, chat or photo sharing, and it hasn’t seemed necessary.
3. What do the new privacy regulations mean for users in the United States?
It depends on the company. In the short term, it means a lot of emails about updated terms of service and privacy policies, which you’ve already probably noticed. But some companies, like Microsoft, have said that it’s going to make the rules of the GDPR standard for every user, even people in the United States. So in theory, that could mean that you could call up Microsoft, ask to see what personal information it has about you and maybe ask Microsoft to delete it.
4. What do businesses need to do to comply?
First, they have to figure out if this applies to them. It applies to any business that processes the information of anyone located in the EU. There are probably some businesses that don’t realize that their mailing list is international.
They have to get their data in order — know where it is and how to access it quickly, and how to make it available for users who request to see it or move it to another service.
They need to have a plan for notifying authorities and users if there’s a hack, and they need to make sure they’re verifying the ages of their users — children’s data is a big part of this, too.
And even if they don’t understand exactly how to comply with the new rules — because they are a little bit vague — experts say that they at least have to make a good-faith effort to get consent from people in the EU to collect and use their information.
5. What does the future hold for new privacy regulations? Could this be a new standard?
That’s the hope of a lot of privacy advocates. It is likely to have a trickle-down effect on big companies, at least. It will just be easier in the long run to have one set of behaviors for how you treat personal information, instead of trying to have two systems, especially if your business is really international. And it could lead other cities and states to craft new privacy rules in the image of the GDPR. California is working on very strong regulations, for example.
It’s also important to note, though, that this will have a lot of downstream impacts on companies, and it’s not clear what will happen.
Some companies say they’re not going to expand into Europe because the regulations — and the potential fines of 20 million pounds or 4 percent of annual revenue — are so scary. Others say it’s going to make marketing harder and will end up strengthening companies like Google and Facebook that have huge budgets and can easily comply.