The final text of the new EU General Data Protection Regulation (GDPR) was agreed on Tuesday. It still has to be approved by the European Parliament and member states but it is likely to become law within two years.
The GDPR will have a profound effect on many businesses, particularly those in the US, which has always had much more liberal laws concerning the use of personal data than the EU and which is where most of the big global internet companies are based. The new legislation, which comes hot on the heels of the revoking of Safe Harbour, is seen by some as an all-out attack by Europe on the prevailing US-based business model of the internet.
The main points
A brief summary of the new rules is outlined in an EU press release, which says the GDPR will put citizens back in control of their data.
“A right to be forgotten: When you no longer want your data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted. This is about empowering individuals, not about erasing past events or restricting freedom of the press (see section on right to be forgotten for more details).
“Easier access to your own data: Individuals will have more information on how their data is processed and this information should be available in a clear and understandable way. Moreover, a right to data portability will make it easier for you to transfer your personal data between service providers.
“The right to know when your data has been hacked: For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours) so that users can take appropriate measures.
“Data protection first, not an afterthought: ‘Data protection by design’ and ‘data protection by default’ will also become essential principles in EU data protection rules – this means that data protection safeguards should be built into products and services from the earliest stage of development, and that privacy-friendly default settings should be the norm – for example on social networks or mobile apps.”
Breaches of the rules will be punishable by a steeper-than-expected maximum fine of four per cent of global turnover. In the cases of Facebook and Google, both of whom have had frequent run-ins with the EU courts, that would amount to $500m and $2.6bn, respectively. Some commenters predict that the EU courts will seek to make examples of a few transgressors in the early days, to prove they mean business.
While there are advantages to businesses in dealing with a single data protection authority rather than the 28 individual member states, some US-based firms have already expressed their concerns over perceived ambiguities in the new legislation.
“Legal uncertainty and big fines are a toxic cocktail,” Allan Sørensen, board member for US-based advertising group IAB Europe, told the Wall Street Journal, while Intel’s David Hoffman said “such high sanctions dis-incentivise business and investment.”
The glacial pace at which the legislation has been negotiated over three years with frequent publications and leaks of interim documents should have prepared US organisations and others for what was coming. Nevertheless, a recent survey by US consultancy TRUSTe across the US and Europe found that half of the companies surveyed were still unaware of the changes.
Such organisations will need to quickly find out what is required of them, including the need when refreshing their websites to ensure that cookies served to EU citizens do not collect and share data illegally.
The “right to be forgotten” may be hard to comply with for many firms too, as they will need to round up data on an individual which may be spread over hundreds of databases. And it will also be necessary for companies that profile their users (i.e. any organisations that use big data technologies with respect to personal data) to be much more transparent about what they are doing and why, and to seek consent at each stage of the process.
In a global marketplace, the new rules will have a ripple effect which will inevitably force changes far outside of the EU. Some fear a Balkanisation of the internet as different jurisdictions insist on different rules, but others feel tighter rules on personal data protection will redress the balance between individuals and corporations and that US consumers will benefit as well.
“Right now, so much of our online lives are determined by algorithms that are totally opaque,” Alvaro Bedoya, executive director of the Center on Privacy and Technology at Georgetown University Law Center told the WSJ. “The right to access the ‘logic’ behind data processing could be a significant step forward in opening that black box.”
On this side of the pond, there is a growing ecosystem of privacy-oriented companies that have been waiting to see the final document for a long time, believing that the GDPR will kickstart a whole new area of the economy.
“The GDPR creates innovation opportunity,” said Geoff Revill, CEO of private network KrowdThink. “It enforces a new level of respect for user privacy and large corporates will find hard to adjust their internal development culture. It may even challenge some business models.”
He continued: “Scott McNeally’s belief that privacy is dead has just been countered. Businesses that embrace the opportunity can redefine existing internet services in a new trustworthy digital engagement model.”