As soon as Facebook’s data abuse scandal broke, questions of legality and regulation quickly came into focus. Most notably, the scandal found itself at odds with a piece of legislation in the European Union (EU) called the General Data Protection Regulation (GDPR), which plenty of Americans were hearing about for the first time.
Even though Facebook is a company based in the U.S., due to the nature of the internet, regulations like GDPR have far-reaching consequences for individuals and companies all around the world. Facebook may have gone to D.C., but GDPR is what it should really be afraid of.
Based in the EU, active worldwide
The GDPR is a landmark piece of legislation in the EU that enshrines stronger data protection and digital privacy laws for EU citizens. Replacing the 1995 Data Protection Directive, the GDPR is an attempt to give internet users more of a say in how their data is used and mandates companies to adhere to strict guidelines on how it is collected, stored, and leveraged. Slated to come into law on May 25 2018, it stands to make a dramatic impact on a variety of international companies and services.
The GDPR is an attempt to give people a say in how their data is used and mandates strict guidelines on how companies collect, store, and leverage it.
Although the GDPR has had its critics, there’s no stopping it now. It was adopted in 2016 and is now set to be implemented and enforceable after a two-year transition period, most recently showing its teeth in the Facebook data abuse case. Even more important in the case of that social network though, is that its data-processing center is in Ireland, making anyone outside of the U.S. and Canada legally covered by the new legislation.
Facebook itself may go even further than that though. During a recent hearing with the House committee, Facebook CEO Mark Zuckerberg said (mostly) clearly that the plan was to extend all new rights under the GDPR to all Facebook users. That would include those within the U.S. and Canada too. That could mean data handling parity and additional privacy tools for American Facebook users.
In turn, that could mean big things for entities like Cambridge Analytica, which make a point of operating in international grey areas. The fact that similar organizations collect data through social networks using their own APIs, could leave those networks vulnerable to the new legislation in turn and may lead to a further crackdown on such practices.
While all of this may seem a little complicated at first glance, the GDPR’s main purpose is to update international data protection laws for the 21st century. As it stands, countries are bound by laws created in the 1990s with individual EU countries all having their own privacy laws and mandates. Where the 1995 Data Protection Directive allowed for such nuance in different countries, the GDPR is a regulation, which means it is a hard law, not a minimum requirement. The GDPR will attempt to unify Europe’s digital data regulations under one banner to make operating within those countries as a data collector or processor more uniform.
Protections for the individual
Although the GDPR is likely to have the biggest day-to-day impact on the operations of corporations and online businesses, its main purpose is to protect internet users themselves. As part of the GDPR’s implementation, EU citizens will have a number of new powerful rights when it comes to their online information. That data can be as public as their name, or as personal as their medical information. If a company or other online entity collects it or processed that information in any capacity, they are bound to protect it and offer a number of services to the person that data is about.
If a company or other online entity collects it or processed that information in any capacity, they are bound to protect it and offer a number of services to the person that data is about.
The first of these new online rights for EU citizens is a right to be informed about what data is being collected, how it’s being used, and how long it will be retained for. That should mean sites like Facebook have far more in-depth privacy policies and will need to update them regularly as new data uses are employed. Companies may still be able to collect and store data, but not leverage it in any way.
Perhaps the most important power the GDPR gives EU internet users though, is related to the right to objection and “profiling.” Effectively, any website or service which uses personal data for direct marketing or for creating a “profile” of a person for other means, can be requested to cease such operations by the affected user.
In the case of companies like Google and Facebook, that could mean that users opt out of the very advertising profiling strategies which have made them such mega giants of online advertising. In theory, it could create real problems for their revenue streams — though it’s also possible it could cripple the competition and allow them to consolidate dominant positions.
The big caveat to all of these changes and improvements to online privacy, is that legally, they only extend to EU citizens. However, as with the case of Facebook, it may be that companies wanting to not get caught out by the legislation simply extend the additional rights to all users globally. There is no guarantee of that, but with Facebook leading the way, it’s certainly a possibility.
It is of real importance that organizations take these new regulations seriously, as there are severe sanctions in place should the GDPR be fallen afoul of. While there are low-level sanctions such as a written warning for first-offenses or non-intentional noncompliance, regular data protection audits can follow — and from there the repercussions become steep. Fines of between 20 million euros ($25 million) and four percent of a company’s annual worldwide turnover, whichever is higher are possible, though lesser fines of $10 million or two percent of annual turnover could be applied in other cases.