When Twitter recently asked me to update my terms of service, I did what any responsible technology journalist would do: I immediately accepted the new terms without reading them so I could more quickly get to commentary on whatever train wreck was occurring on the platform that day. But when Facebook, LinkedIn, Square, and even Etsy all started notifying me with similar urgent language, I began to grow suspicious. And I wasn’t alone. My roommate expressed her annoyance, wondering whether Facebook’s recent scandal was the motivation. The whole internet seemed to want to know one simple answer: WHY?
While a call for better data protection in the light of Cambridge Analytica is a good, albeit naïve guess (did you really think any sites would fix their shady practices that quickly?), the answer actually traces back to a decision made two years ago by the European Union. In April 2016, after four years of debate, the European Parliament voted to approve a law called General Data Protection Regulation. The law happens to be going into effect on May 25, 2018, hence why you’ve been flooded with notification after notification. Organizations that are non-compliant risk fines of up to four percent of their annual global turnover, or up to €20 million (about $24 million), whichever is greater.
So why are we non-EU residents getting these emails, too? Because even companies that aren’t based in the EU have to abide by the guidelines if they process the data of EU citizens. The law requires subject companies to notify users of data breaches within 72 hours and guarantees users’ right to access the data companies have on them and how it’s being used. It also means that companies could be subject to penalty for ignoring the EU’s “right to be forgotten” restrictions, something that has long been a source of consternation for Google. Furthermore, the law requires companies that use data in automated decision making to provide to consumers an explanation of how their information was used—though how thorough that explanation needs to be is a bit unclear.
But though you may be getting alerts about it, American users aren’t protected by the new rules. GDPR has come up a lot in discussions of what to do next after the Cambridge Analytica scandal, but as of now there is no equivalent legal recourse in the United States. As Michael Veale recently explained for Future Tense, Mark Zuckerberg’s promises that Facebook’s user controls in the U.S. would match those required by GDPR is nowhere near the same as extending us the same protections.
Ultimately, the U.S. will have to figure out its own path to regulation for consumers to actually receive similar protections to GDPR. The recently introduced Social Media Privacy Protection and Consumer Rights Act of 2018, which features similar protocols such as a 72-hour for data breach notifications, could be a start. For now, enjoy all your notifications!