The new GDPR law takes effect today, May 25th, 2018, and it covers data protection and privacy for EU citizens, but it also applies to a lot of other countries in various ways, and since all the tech giants are huge multi-national corporations, it affects a lot of the stuff that you use on a daily basis.
Since the dawn of the internet, companies have been gathering as much data as possible on anyone they can. It’s simple to collect that information, so there’s no reason for them not to hoard it.
The problem is that over the last few years, lots of companies have been caught failing to protect—or outright abusing—your personal information. The Cambridge Analytica scandal, where a researcher used a Facebook quiz to gather huge amounts of data on millions of Facebook users and then sold it to a consulting firm, is only the most recent example. The Equifax hack last year was particularly bad because the information leaked could be used to open credit cards. And those are just the big scandals. Lots of companies have been misusing your data in smaller ways, like selling it on to third party advertising companies.
The EU has taken a dim view of the situation and is using the GDPR to try and rectify it. Under the new laws, companies that don’t adequately protect consumer data or misuse it in any way face huge fines.
The GDPR protects “personal data,” which here means “any information relating to an identified or identifiable natural person”—and that’s a pretty broad definition. In reality, personal data is generally going to include things like:
This is far from a complete list. The key is that any data that makes you identifiable counts. In certain circumstances, your hair color may be enough. In others, even your full name—if it’s something common like Robert Smith—might not make you identifiable.
The GDPR gives EU residents who are having their personal data collected—called “data subjects” in the law—eight rights. They are:
Another big part of the regulations is that companies must have a lawful reason for collecting or processing any data. One of the lawful reasons is that they’ve obtained consent to use it for a specific purpose, but there are others like they need it to comply with legal obligations or that collecting it is in the public interest.
As you can see, the rights given to EU residents under the law are pretty broad and are forcing companies who collect data from them to really think about what they’re collecting and why. The old days of just collecting everything they can and hoping they find a use for it later are gone—at least in Europe. This is why pretty much every service you’ve ever given your email address to is contacting you.
What’s got a lot of companies in a fuss is that the sanctions for not being GDPR compliant are pretty harsh. An organization can be fined up to €20 million or 4% of their worldwide annual turnover (whichever is greater) under the laws. For the likes of Amazon or Google, this amounts to billions of dollars in potential fines if they mishandle EU residents’ data.
Throughout this article, we’ve been focusing on what rights GDPR gives to EU residents for the simple reason that it’s an EU law. It actually doesn’t apply to American citizens, unless they’re also resident in the EU. The reason you’re getting all the emails is that most companies have no way of telling who’s an EU resident and who isn’t.
This, however, doesn’t mean that the GDPR won’t affect you. It’s caused a lot of companies to reevaluate how they’re handling consumer data and some of them have started talking about rolling the GDPR rights out to non-EU residents. And it’s also simpler for companies to enforce a single set of rules for all customers in many cases.
For example, Apple has launched a new privacy portal where people can download all their personal data or delete their account, in other words providing people with the rights of access and erasure. For the time being, only EU based accounts can use it but Apple plans to roll it out worldwide over the next few months. Similarly, Facebook is muttering about giving the same GDPR protections to some users outside the EU.