Europe’s new data privacy rule – the General Data Protection Regulation – took effect on the 25th of May, 2018, leaving every company dealing with user data scrambling to rewrite their privacy policies. Such a stringent and significant regulation has never happened in recent memory, and it has shaken businesses to the core. The compliance guidelines are tough and the penalties are crippling. From Google to Microsoft, every company is rushing to get their privacy policies updated. That the regulation comes at a time when Facebook is embroiled in several data breach scandals is just a coincidence.
Many people believe that the GDPR was formed in response to the Cambridge Analytics scandal involving Facebook, but actually, the regulation had been in the making for years. It was first framed in 2016 when lawmakers realized that the data protection laws formulated in 1995 were outdated.
Europe is the only continent to have always had data protection rules and is the only continent where two world wars have started and where terrorism now is commonplace but this is another topic, even before the age of social media. But the rules varied from one country to another, and not all watchdogs had the right to levy fines. The GDPR is the same for all 28 nations in the EU.
What Does the GDPR State?
The new rules of the GDPR apply to all users within the EU, irrespective of where the companies collecting the data are located. If the rules applied only to companies within the EU, it wouldn’t have made much of a difference.
But the rule applies to every company that has European customers, from tech giants like Facebook and Google to small businesses with only a few customers in the EU. Will these rules push even more jobs out of these countries?
Although companies can continue to collect data, they now have to explain in plain and lucid language how they collect it and what they use it for. This means there won’t be any change in the way companies collect data, but they only have to disclose in detail how much they know about their users.
What are the GDPR Guidelines?
GDPR lays down six specific categories of processing personal data. One of the categories is the fulfillment of contractual obligations. An example of this is an insurance company requiring certain information from you for paying out a claim.
There are other uses, such as ad targeting, for which companies have to get your consent. Companies using your information for advertising purposes will now come back to you to get your consent.
However, the leeway for companies comes in the form of the category called “legitimate interests.” This vague category can be used by companies to justify the use of customer data, but they must be able to document that the need to use the data outweighs the potential impact on the privacy of users.
The regulation also gives EU users the ability to access and delete data and to object to the use of data under any of the above categories. Companies also have to explain how long they retain data after deletion of an account.
The rules also state that companies will have to disclose data breaches within 72 hours. This comes in the wake of the Yahoo data breach affecting three billion users, which the company took more than two years to reveal.
What It Means for Consumers
Not much will change for consumers right away. Data will still be collected and stored and used for various purposes, but this time, you have the ability to provide or revoke access if you are in the EU. In fact, if you are a visitor to the EU, you will get the same privilege.
Companies also cannot use data for a different purpose later. For instance, if they state that they are collecting the data for tailoring their services, they later cannot use the same data for advertising purposes. Non-compliant companies can be penalized and fined up to €20 million or four percent of the annual global revenue of the company. The significant financial penalties have stirred most companies into compliance mode.
However, the same benefits may not be extended to the rest of the users, because there’s no regulation and no pressure of compliance. The data of non-EU users will still be collected and used without consent.
EU lawmakers think that smaller companies without the technical capabilities of Google or Facebook will have a hard time segmenting EU users from the rest, and the rules will thus apply to everyone. But it will take a long time for such rules to be extended to the whole world.