Europe’s new data privacy law

The EU's data collection measures take effect May 25 and will reach beyond the Continent. Here's what you need to know.

Jeff Chiu/AP
ONLINE: A man looks at a computer screen showing Facebook ad preferences. Facebook is among the companies gearing up for Europe's new data privacy measures.

Companies that do business with those in the European Union must comply with its General Data Protection Regulation (GDPR). The law could compel people in other countries to demand such measures, too.

Q: How does the GDPR change data privacy in Europe?

Passed two years ago, the GDPR is poised to reshape how companies, regardless of location, collect personal data for uses that include advertising. Such information includes birth dates, political affiliations, and television viewing habits.

This translates into a few major steps, according to Nick Couldry, a media and communications professor at the London School of Economics and Political Science. First, companies will be required to alert EU users when they are collecting data and the reason for it. "You have to be told why I’m collecting the data, basically what I’m going to do," he says.

The GDPR also stipulates that alerts for users must be expressed in ordinary, nontechnical language – not in dense columns of legalese. In addition, EU consumers will have the "right to be forgotten," which will allow them to have their personal data removed from any company whenever they choose.

Q: How does data policy in the United States compare?

No single US law regulates the use of personal data. Instead, the country relies on a web of state and federal legislation with various focuses. For example, the Health Insurance Portability and Accountability Act (HIPAA) lays out rules for how health plans and providers handle information about patients, but the law’s protections don’t extend beyond health care.

The difference between the US and the EU, says Dr. Couldry, is in part about ideology. While in the US data collection is largely considered a natural expression of a free market, legislators in the EU see data privacy as a right.

"You start from a human rights perspective, that the collection of data by you about me changes the conditions under which I’m living in a fundamental way, as opposed to saying the collection is just a normal part of markets functioning," Couldry says.

That distinction carries weight when it comes to crafting regulations, says Ifeoma Ajunwa, a professor in the Industrial and Labor Relations School at Cornell University in Ithaca, N.Y.

"In the US, privacy is essentially thought of as a property right.... It could be for sale, in that you can trade access to platforms in exchange for some of your private information,” she says. "The difference, of course, is that in the EU, because privacy is not predominantly viewed as a property right but rather as a human right, it merits governmental protection" on a comprehensive basis.

Q: How are companies responding?

Although the full global effect of the GDPR remains to be seen, major companies around the world have already begun to make changes to abide by the rules.

"From the point of view of corporations ... that operate globally like Facebook, Google, Twitter, and so on, they’re all facing the questions of how they adapt to the European legislation,” Couldry says. "It’s gradually become clear that it’s far more important for them to be able to do business seamlessly in Europe than to take the position of not complying."

The GDPR subjects any company, regardless of where it’s based, to fines of up to €20 million (about $24 million) if it is judged to be noncompliant when engaging with EU customers.

But being sure of which consumers are located in the EU is complicated, says Bart Lazar, a data privacy lawyer in the Chicago office of Seyfarth Shaw. "Oftentimes we don’t know just through social media or any email address where an individual resides or what country they’re a citizen of so ... companies are put in sort of a risk quandary," he says.

Q: Is the EU setting a new global standard?

After Europe passed the GDPR, Britain introduced mirror legislation in its Parliament, even though voters in 2016 opted to leave the EU, Couldry notes. It could be an early sign of a social shift set off by the GDPR.

The knowledge that corporations must increase their consumer protections in Europe will likely lead many foreign users to demand the same safeguards, observers say.

"It’s possible that these companies will have variations [across countries], but then they’ll have to deal with something that could be a market disadvantage, when smart citizens spot that they’re less protected when they’re searching on their phone ... in America than when they’re sitting in Europe," Couldry says.

Dr. Ajunwa agrees, stating that user expectations will be quick to fall in line with the most comprehensive data protections. "Once organizational behavior changes, then that’s going to trickle down to societal impact," she says.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.