This May, a sweeping new data protection law will go into effect across Europe that will change the way tech companies do business anywhere on the continent. It’s called the General Data Protection Regulation, and it is designed to unify all the different privacy policies maintained by European Union states into a single set of rules.
What is the GDPR?
The EU Parliament approved the GDPR in April 2016 after much debate throughout Europe on the best way to handle private data on the internet in the modern era. In a world growing skeptical of tech companies where massive breaches of personal data are commonplace, there is definite interest in setting clear rules for how personal data should be acquired, stored, and disposed of by those companies.
For the purposes of these regulations, “personal data” includes everything from email addresses to credit-card information to medical records. If you have users in Europe, you’re likely subject to these new rules.
The new law – which will come into force in May 2018 – affects companies that do business with Europe, and hold personal data about European Union (EU) residents for purposes such as profiling and big data analysis. Failure to comply risks fines of up to €20 million or 4% of global turnover.
So what are the new rules?
The main goal of the GDPR is to set clear expectations for how data should be handled among European Union states (we’ll get to the Brexit train wreck in a bit).
One new rule should get everyone’s attention: companies now have 72 hours to inform European customers of a security breach that could have compromised their personal data, starting from when the company learns of the breach. That’s much faster than a lot of companies are used to operating: it took Equifax several weeks to notify its U.S. customers of a massive security breach earlier this year, and Uber sat on information related to a security breach for over a year.
Another important rule governs “the right to be forgotten,” or the right to demand an internet service remove publicly facing content. Services can weigh that demand against the public’s right to know that information — allowing different treatment for politicians looking to erase damaging information and teenagers who made a mistake — but companies will have to set up a way to consider such requests.
What do I do about my users in the U.K.?
Whatever actually results from the turmoil of the Brexit process, the U.K. is considering its own data protection bill that largely conforms to the GDPR, so any change you make to your data handling strategy in line with GDPR requirements should cover you in the U.K. as well.
Will this have any impact on U.S. data protection laws?
It’s hard to imagine new U.S. consumer data protection laws passing in our current political climate, perhaps best described as a once-in-a-lifetime land grab for corporate interests, but the GDPR rules could have a subtle effect on the way U.S. consumer data is handled. Large companies that do significant business in Europe might decide that it’s just easier to lump all their customers into the same bucket using the GDPR rules as a baseline, rather than maintaining separate data-handling policies based on the region in which that user accessed their services.
Furthermore, allowing Europe to test-drive new regulation could help better inform future attempts at data protection laws here in the U.S. There will undoubtedly be technical issues, legal decisions, and bureaucratic inertia that combine to highlight areas in which the GDPR rules need to be tweaked or changed in order to best serve all parties.
Either way, long-term concerns about data protection are certainly not going away. As companies adjust to the requirements of the GDPR, we’ll get a better sense of how those concerns will play out.