The new GDPR law takes effect today, May 25th, 2018, and it covers data protection and privacy for EU citizens, but it also applies to a lot of other countries in various ways, and since all the tech giants are huge multi-national corporations, it affects a lot of the stuff that you use on a daily basis.
The Problem GDPR is Trying to Solve: Companies Are Collecting and Abusing Your Personal Info
Since the dawn of the internet, companies have been gathering as much data as possible on anyone they can. It’s simple to collect that information, so there’s no reason for them not to hoard it.
The problem is that over the last few years, lots of companies have been caught failing to protect—or outright abusing—your personal information. The Cambridge Analytica scandal, where a researcher used a Facebook quiz to gather huge amounts of data on millions of Facebook users and then sold it to a consulting firm, is only the most recent example. The Equifax hack last year was particularly bad because the information leaked could be used to open credit cards. And those are just the big scandals. Lots of companies have been misusing your data in smaller ways, like selling it on to third party advertising companies.
The EU has taken a dim view of the situation and is using the GDPR to try and rectify it. Under the new laws, companies that don’t adequately protect consumer data or misuse it in any way face huge fines.
What is Considered Personal Data?
The GDPR protects “personal data,” which here means “any information relating to an identified or identifiable natural person”—and that’s a pretty broad definition. In reality, personal data is generally going to include things like:
- Biographical data such as your name, address, phone number, social security number, and so on.
- Data relating to your physical appearance and behaviour such as hair color, race, and height.
- Information about your education and work history such as your salary, college degree, GPA, tax ID, and so on.
- Any medical or genetic data.
- Things like your call history, private messages, or geo-location data.
This is far from a complete list. The key is that any data that makes you identifiable counts. In certain circumstances, your hair color may be enough. In others, even your full name—if it’s something common like Robert Smith—might not make you identifiable.
What Does the GDPR Do?
The GDPR gives EU residents who are having their personal data collected—called “data subjects” in the law—eight rights. They are:
- The right to be informed: If a company is collecting data, they need to tell data subjects what’s being collected, why it’s being collected, what it’s being used for, how long it’s going to be kept, and if it’s going to be shared with third parties. This information can’t be buried deep in a terms of service no one reads; it has to be concise and in plain language.
- The right to access: If they request it, any organization that has personal data regarding a data subject must provide it to them within a month.
- The right to rectification: If a data subject finds out that a company has data on them that’s incorrect, they can request that it gets updated. Companies have one month to comply.
- The right to erasure: A data subject can request that a company deletes any data that is held on them in certain circumstances. For example, if the data is no longer needed or they are withdrawing their consent for it to be used.
- The right to restrict processing: If an organization cannot delete a data subjects’ data—for example, because they need it for legal case—then they can request that the company limit how it’s used.
- The right to data portability: Data subjects have the right to take their personal data from one service and use it with another.
- The right to object: If data is collected without consent but for legitimate business interests, for the public good, or by an official authority, the data subject can object. The organization must then stop processing the data until they can prove they have legitimate reasons to do so.
- Rights related to automated decision making including profiling: The GDPR puts into place safeguards so that individuals can object to or get an explanation about automated decisions that affect them and their data.
Another big part of the regulations is that companies must have a lawful reason for collecting or processing any data. One of the lawful reasons is that they’ve obtained consent to use it for a specific purpose, but there are others like they need it to comply with legal obligations or that collecting it is in the public interest.
As you can see, the rights given to EU residents under the law are pretty broad and are forcing companies who collect data from them to really think about what they’re collecting and why. The old days of just collecting everything they can and hoping they find a use for it later are gone—at least in Europe. This is why pretty much every service you’ve ever given your email address to is contacting you.
What’s got a lot of companies in a fuss is that the sanctions for not being GDPR compliant are pretty harsh. An organization can be fined up to €20 million or 4% of their worldwide annual turnover (whichever is greater) under the laws. For the likes of Amazon or Google, this amounts to billions of dollars in potential fines if they mishandle EU residents’ data.
What Does the GDPR Mean for Americans?
Throughout this article, we’ve been focusing on what rights GDPR gives to EU residents for the simple reason that it’s an EU law. It actually doesn’t apply to American citizens, unless they’re also resident in the EU. The reason you’re getting all the emails is that most companies have no way of telling who’s an EU resident and who isn’t.
This, however, doesn’t mean that the GDPR won’t affect you. It’s caused a lot of companies to reevaluate how they’re handling consumer data and some of them have started talking about rolling the GDPR rights out to non-EU residents. And it’s also simpler for companies to enforce a single set of rules for all customers in many cases.
For example, Apple has launched a new privacy portal where people can download all their personal data or delete their account, in other words providing people with the rights of access and erasure. For the time being, only EU based accounts can use it but Apple plans to roll it out worldwide over the next few months. Similarly, Facebook is muttering about giving the same GDPR protections to some users outside the EU.