Sweeping reforms are set to take charge of European consumers’ online privacy and data concerns next spring, but the impact could be global — and a huge win for consumer privacy advocates. The regulation applies if the companies collecting or storing data are based in the European Union or deal with data of E.U. residents, even if their headquarters are elsewhere.
Passed by the European Union in April 2016, the regulation — officially known as the General Data Protection Regulation, or known as PR-speak on Twitter as #GDPRubbish — is supposed to give Internet users more control over the ways that their personal information is used.
As the BBC explained, “Simply put, organisations need to keep records of all personal data, be able to prove that consent was given, show where the data’s going, what it’s being used for, and how it’s being protected.” If companies don’t comply, they could face penalties of 20 million euros or up to 4 percent of annual global turnover (whichever is greater).
The European Parliament shared this breakdown when the regulation passed:
The new rules include provisions on:
- a right to be forgotten,
- “clear and affirmative consent” to the processing of private data by the person concerned,
- a right to transfer your data to another service provider,
- the right to know when your data has been hacked,
ensuring that privacy policies are explained in clear and understandable language, and
- stronger enforcement and fines up to 4% of firms’ total worldwide annual turnover, as a deterrent to breaking the rules.
The GDPR is scheduled to take effect in May 2018. We’re in the middle of the two-year transition period for companies to come into compliance, but one survey found that more than 60 percent of organizations haven’t even started implementing their new protocols.
As Axios’ Sara Fischer pointed out, “That means everyone from Google to your neighbor who sells shoes on eBay could be affected.” It’s also not just tech companies like Google, Apple, Facebook that are involved, but data-collecting businesses across all sectors — including publishers.
However, the tech companies will be leading the way. “We’re going to see innovative things from Google and Facebook in terms of how they deal with it,” David Downing, executive vice president at ASG Technologies, told Axios.
Startups and smaller companies are worried about the regulation being overly burdersome.
“We hold millions of datapoints on our users and we already take protecting this very seriously. Our customers trust us with their data on the assumption that we won’t leak or lose it, which we don’t,” Tom Davenport, the CEO of a London technology company with 10 employees, told the Sun. “It’s fundamentally pretty straightforward. It’s frustrating therefore to now be hit with such a massive and complex piece of legislation in this area.”
European Union officials say it’s necessary: “This is the kind of price we pay for a civilized way for the flow of personal data in the world,” Wojciech Wiewlorowski, assistant supervisor at the European Data Protection in Brussels, told Axios.
“The new law equals bigger fines for getting it wrong but it’s important to recognize the business benefits of getting data protection right,” a spokesperson for the U.K.’s government agency in charge of enforcing the GDPR told the BBC.
A coalition to raise awareness of the regulation just launched today in Ireland, with a newsletter highlighting the buzz around the GDPR as its official implementation deadline approaches in May.
While the regulation is grounded in the European Union (and will still apply in the United Kingdom after it exits the group), analysts say the GDPR is a big step in securing consumer data worldwide.
“I am optimistic that many of the GDPR’s protections will trickle down from the EU to other western nations,” wrote Simon Crosby, the cofounder of an global online security company, in a Forbes post. “For a large enterprise such as a bank, implementing different controls and procedures for managing privacy for each geography in which it operates is likely to be onerous.”
The regulation can be a bit jargon-heavy, which led to the popularity of the #GDPRubbish hashtag. (We’ve included some of the more coherent and comprehensive breakdowns as links in this piece.) People have been fact-checking different claims about GDPR on Twitter, though we can’t verify that all the tweets on the hashtags are accurate.