As the European Union readies the biggest change to its privacy laws in a generation, tech companies are steeling themselves for an overhaul that could force them to rethink how they handle consumer privacy around the world.
Unlike regulators and most data-hungry companies in the United States, Europeans believe that personal privacy is a fundamental human right, says Susan Grant, director of consumer protection and privacy for the Consumer Federation of America.
“In the EU, privacy is something you’re entitled to, and companies need a good reason to infringe on that,” she says. “Unfortunately, that’s not where we’re at in the U.S.”
The General Data Protection Regulation, set to go into effect in Europe on May 25, could raise the privacy bar for consumers in many locations, as transnational companies update their policies to comply with the new regulations.
Here’s what the new rules are all about.
What does GDPR do?
The 88-page law is set to enforce consumer privacy standards exceeding those of the United States in several key ways.
It expands the definition of personal information. Under GDPR, personal information includes your name, mailing address, location data, Internet Protocol address, cookie data, health and genetic information, biometrics, ethnicity, political opinions, and sexual orientation. That goes well beyond definitions of personally identifiable information found in U.S. privacy statutes.
It limits data retention. Companies can keep your data for only as long as they need it to fulfill the original purpose. Generally speaking, U.S. companies decide how long they want to keep your data. The longer that data is retained, the more likely it will become a target for hackers and/or prone to accidental breaches.
It can enforce data erasure. This gives consumers the right to demand that websites and services remove their personal information, or to “be forgotten,” with certain exceptions (like for news stories about notable individuals). Sites have to honor this request within 30 days, or provide a good reason why not to honor it.
It requires faster data breach notifications. GDPR requires organizations to alert customers within 72 hours after a known data breach that presents “a high risk to their rights and freedoms.” U.S. data breach laws require notification but don’t generally put a timetable on it.
What happens when companies don’t comply?
The GDPR comes with stiff penalties. Companies that break the rules can be fined up to $20 million or 4 percent of annual revenue, whichever is larger. If Equifax, for example, had been assessed the maximum penalty for failing to notify customers of its data breach in a timely manner, it would owe more than $120 million.
The targets and scopes of GDPR penalties fall under the purview of the Data Protection Authorities in each of the 28 European states, as well as an overall Data Protection Supervisor in Brussels. These regulators have the authority to fine companies doing business in Europe, regardless of whether they have a physical presence in a European state. They could also could prohibit them from doing business in Europe.
Is this better or worse for U.S. companies?
Depending on whom you ask, the GDPR either simplifies compliance by establishing a consistent set of guidelines, or it creates new compliance challenges.
Chris Sperandio, a product manager in charge of GDPR compliance for Segment, a customer data platform, says the law is good news for companies and consumers.
“We see GDPR as a relatively unambiguous bar to meet, instead of a fragmented regulatory landscape across a number of member states,” he says. “We think it imbues a lot of rights for end users to get excited about, specifically around informed and affirmative consent.”
But the new consumer protections create significant challenges for tech companies, warns Richard Stiennon, chief research analyst at IT-Harvest.
“This is the deepest a regulation has ever penetrated into the commercial world,” Stiennon says. “It dictates all these requirements without specifying how to accomplish them. And it threatens gargantuan fines for noncompliance. You certainly don’t want to be the test case for it.”
In either case, nearly half of organizations operating in Europe are unlikely to be in compliance when the law, approved in April 2016, goes into effect this spring, according to a survey by Veritas Technologies.
Will American consumers benefit from these rules?
That’s the $64 billion question. It certainly makes sense for any company doing business globally to have one set of rules for its customers instead of multiple ones, consumer advocate Grant says. But whether companies operating in the United States will standardize on GDPR rules remains to be seen.
So far, Amazon, Google, and Microsoft have publicly stated that they will comply with the GDPR—at least for their cloud services. A Facebook representative told The Parallax in an emailed statement that it will ensure that its services comply as well.
As for all the rest, we’ll have to wait and see.
“It doesn’t make sense for companies to operate one way in Europe and another way in the U.S., but that doesn’t mean they won’t,” Grant says. “I think if U.S. companies are going to treat customers the same as they do in Europe, it would be great for them to tell us that.”