Europe’s new data privacy law
The EU's data collection measures take effect May 25 and will reach beyond the Continent. Here's what you need to know.
ONLINE: A man looks at a computer screen showing Facebook ad preferences. Facebook is among the companies gearing up for Europe's new data privacy measures.
Jeff Chiu/AP
Companies that do business with those in the European Union must comply with its General Data Protection Regulation (GDPR). The law could compel people in other countries to demand such measures, too.
Q: How does the GDPR change data privacy in Europe?
Passed two years ago, the GDPR is poised to reshape how companies, regardless of location, collect personal data for uses that include advertising. Such information includes birth dates, political affiliations, and television viewing habits.
This translates into a few major steps, according to Nick Couldry, a media and communications professor at the London School of Economics and Political Science. First, companies will be required to alert EU users when they are collecting data and the reason for it. "You have to be told why I’m collecting the data, basically what I’m going to do," he says.
The GDPR also stipulates that alerts for users must be expressed in ordinary, nontechnical language – not in dense columns of legalese. In addition, EU consumers will have the "right to be forgotten," which will allow them to have their personal data removed from any company whenever they choose.
Q: How does data policy in the United States compare?
No single US law regulates the use of personal data. Instead, the country relies on a web of state and federal legislation with various focuses. For example, the Health Insurance Portability and Accountability Act (HIPAA) lays out rules for how health plans and providers handle information about patients, but the law’s protections don’t extend beyond health care.
The difference between the US and the EU, says Dr. Couldry, is in part about ideology. While in the US data collection is largely considered a natural expression of a free market, legislators in the EU see data privacy as a right.
"You start from a human rights perspective, that the collection of data by you about me changes the conditions under which I’m living in a fundamental way, as opposed to saying the collection is just a normal part of markets functioning," Couldry says.
That distinction carries weight when it comes to crafting regulations, says Ifeoma Ajunwa, a professor in the Industrial and Labor Relations School at Cornell University in Ithaca, N.Y.
"In the US, privacy is essentially thought of as a property right.... It could be for sale, in that you can trade access to platforms in exchange for some of your private information,” she says. "The difference, of course, is that in the EU, because privacy is not predominantly viewed as a property right but rather as a human right, it merits governmental protection" on a comprehensive basis.
Q: How are companies responding?
Although the full global effect of the GDPR remains to be seen, major companies around the world have already begun to make changes to abide by the rules.
"From the point of view of corporations ... that operate globally like Facebook, Google, Twitter, and so on, they’re all facing the questions of how they adapt to the European legislation,” Couldry says. "It’s gradually become clear that it’s far more important for them to be able to do business seamlessly in Europe than to take the position of not complying."
The GDPR subjects any company, regardless of where it’s based, to fines of up to €20 million (about $24 million) if it is judged to be noncompliant when engaging with EU customers.
But being sure of which consumers are located in the EU is complicated, says Bart Lazar, a data privacy lawyer in the Chicago office of Seyfarth Shaw. "Oftentimes we don’t know just through social media or any email address where an individual resides or what country they’re a citizen of so ... companies are put in sort of a risk quandary," he says.
Q: Is the EU setting a new global standard?
After Europe passed the GDPR, Britain introduced mirror legislation in its Parliament, even though voters in 2016 opted to leave the EU, Couldry notes. It could be an early sign of a social shift set off by the GDPR.
The knowledge that corporations must increase their consumer protections in Europe will likely lead many foreign users to demand the same safeguards, observers say.
"It’s possible that these companies will have variations [across countries], but then they’ll have to deal with something that could be a market disadvantage, when smart citizens spot that they’re less protected when they’re searching on their phone ... in America than when they’re sitting in Europe," Couldry says.
Dr. Ajunwa agrees, stating that user expectations will be quick to fall in line with the most comprehensive data protections. "Once organizational behavior changes, then that’s going to trickle down to societal impact," she says.