The European Union is preparing to enforce a sweeping new data protection law that gives consumers much more control over how their personal details are used. Companies are scrambling to comply.
Regulators say the new rules are necessary to protect consumers in an era of huge cyberattacks and data leaks, highlighted by Facebook’s admission that the personal details of millions of its users were abused.
Here’s what’s going on:
What is it?
The General Data Protection Regulation (GDPR) comes into effect across the European Union on May 25.
It seeks to expand and update data rules that have been in place since 1995 — long before hacks, security breaches and data leaks became a common occurrence.
The new rules give Europeans more control over their personal data. The European Commission said that a lack of trust in tech companies was the main motivation behind the new rules.
What does it mean for companies?
Any organization that holds or uses data on people inside the European Union is subject to the new rules, regardless of where is it based.
Companies that sell goods and services to people in Europe will be impacted, as well as organizations that monitor people’s online behavior, for example by tracking browsing histories.
The rules mean Silicon Valley has to change some of its business practices. Facebook (FB), for example, has tens of million users in the European Union. So does Google (GOOGL).
Under the new law, companies will have to obtain an individual’s consent in order to store and process personal data. Requests must be clear and written in plain language.
Organizations aren’t allowed to hold data for longer than is necessary, and anyone can ask for their personal information to be deleted from a company’s servers. There are only a few exceptions — including if services cannot be provided without the data.
Firms may also have to prove they are handling data correctly — this might mean increased monitoring and documentation. Some may have to hire data protection officers.
What does it mean for people?
Consumers can expect to see more privacy warnings and consent requests. These must be made separately, and cannot be bundled with general terms and conditions.
The rules mean that tech companies can no longer assume users want to hand over their data. Companies must now count on the opposite, and reflect that in their services and products.
For example: Rather than automatically signing a user up for a mailing list and later offering an unsubscribe option, companies now have to explicitly seek consent ahead of time. The default option when asking users if they want to subscribe must be “no.”
Some brands are already asking consumers if they want to remain on email marketing lists.
Companies are also required to tell authorities about any data security breach within 72 hours of discovering it — a rule that should eliminate big gaps between the business finding out and customers being informed.
What’s the cost?
Making sure a business complies with the new rules is costly. Many large organizations have hired outside auditors and advisers to help make sure they are ready.
But the cost of breaking the rules is even higher.
European regulators can impose fines of at least €20 million ($25 million) or up to 4% of annual global sales, which for the big tech companies could run into billions of dollars.