The European Union’s General Data Protection Regulation (GDPR) goes into effect on Friday, and tech companies around the world are scrambling to make sure their operations comply with the stipulations. The general aim of the GDPR, originally passed in 2016, is to give internet users more control over their data and privacy. Facebook CEO Mark Zuckerberg is in fact traveling to Europe this week in part to discuss the new law with regulators.
There’s not much to worry about on the user side at the moment. The onus is mostly on companies themselves to react to the GDPR. Nevertheless, here are some questions that you may be pondering as the EU rolls out the regulations.
What exactly does the GDPR mandate?
There are a host of new requirements rolled into the GDPR. Companies will now have to report data breaches within 72 hours and allow people to access the private data that has been gathered on them and find out how it’s being used. Users also have the “right to be forgotten,” allowing them to demand that companies remove certain personal information from the internet, and the right to opt out of sensitive data collection. The GDPR further broadens the definition of “personal data” to include locations, browsing history, IP addresses, and other information.
Do the regulations apply to companies and people outside the EU?
If a company processes EU citizens’ data, then it has to comply with the GDPR even if it isn’t based in a European country. That means most major tech companies with international operations, like Twitter and Facebook, will have to come into compliance.
Users outside the EU are not covered under the law in most cases. However, the GDPR protects the traffic of people visiting a European country, even if they are not a citizen of the union. Facebook CEO Mark Zuckerberg has also said that the company is extending certain rights enumerated in the law to users around the world, though this promise obviously doesn’t have the authority of the actual GDPR.
How will users in the U.S. be affected?
You may have noticed emails flooding your inbox over the last few months from tech companies asking you to accept updates to their terms of service. This is because the GDPR requires organizations to get consent from users before storing and processing personal info. Google, Twitter, Instagram, Square, and other companies are essentially trying to get you to grant them this consent. Most platforms will give you a prompt to accept their new terms of service when you log in in order to obtain your permission, if they haven’t already. However, CNN reports that some organizations are threatening to remove users from mailing lists if they don’t actively give their consent, so it might be worth reading through those newsletters in your inbox.
How will are companies changing their services?
Companies will likely be asking for consent to collect your information more often, which could mean that you’ll need to complete more “click to proceed” boxes. You’ll also see that platforms like Slack and Facebook are adding more tools to check what data they’ve collected on you.
There have also been reports of companies shutting down or restricting their operations in response to the GDPR. The Verve, Brent Ozar, and Unroll.Me have all announced that they will no longer be serving EU residents. Klout, a platform that gives people scores based on their social media influence, is shutting down on May 25, which suggests that it didn’t want to have to disclose the kinds of data it was gathering. The online games Super Monday Night Combat and Loadout are also closing shop in part due to the GDPR.
What are the penalties under the law?
The financial toll is steep for companies found to be violating the GDPR. The fine is either 20 million euros (approximately $24 million) or 4 percent of global revenue for the year, whichever is higher. As Ars Technica points out, that could mean a maximum fine of $500 million for Facebook and $2.5 billion for Google.
Is the U.S. planning to do something similar?
The U.S.’s data privacy laws are much laxer than the GDPR’s. Congress is currently considering the Social Media Privacy Protection and Consumer Rights Act of 2018, which has stipulations similar to those in the GDPR like the 72-hour window for reporting data breaches.
Several lawmakers asked Zuckerberg during his congressional hearing in April whether the protections in the GDPR should be adopted in the U.S. Zuckerberg in general seemed to imply that such a move would be unnecessary since Facebook has promised that “all the same controls will be available around the world.”