It’s May 25th, and the European Union’s new General Data Protection Regulation (GDPR) is ready to enjoy its first day of enforcement. This new set of regulations, approved by the EU Parliament in April 2016, marks a massive change in the way companies across the world will be forced to operate with regards to privacy.
What Is the General Data Protection Regulation?
GDPR is a set of privacy regulations governing how companies must handle EU citizens’ personal information. The GDPR builds on existing EU policies but sets a much higher bar by requiring companies to gain explicit consent from users before gathering any personal data. It also requires that affected companies provide tools for users to view, modify, and request deletion of any of their stored information, and it provides a fairly broad definition of what personal information means.
The new rules also come with hefty fines for companies that aren’t compliant. Just a few hours into the GDPR enforcement period, Facebook and Google have already been hit with lawsuits, even though they’ve spent months preparing for GDPR compliance. The wide-reaching and, in some cases, vague language of GDPR means that the road to compliance is not straightforward and that regulators will have a fair amount of leeway in how they enforce the new rules.
GDPR also introduces new breach disclosure laws, requiring companies (aka data controllers) to notify the proper authorities within 72 hours:
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority . . . unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Not Just for Europe
Even though GDPR only protects European Union citizens, it affects businesses and organizations around the world. Anyone who stores or processes the data and personal information of EU citizens is forced to comply with the new regulations or risk the steep fines. Even with two years to prepare, this caveat has left several US companies unprepared for the new regulations, and has resulted in some wholesale bans of all European Union IP addresses in an attempt to prevent accidental collection of EU citizens’ data.
- U.S. Websites Go Dark in Europe as GDPR Data Rules Kick In – WSJ
- GDPR: US news sites unavailable to EU users under new rules – BBC News
- Major US news websites are going down in Europe as GDPR goes into effect – The Verge
A Last-Minute Scramble
Companies have been scrambling to reach compliance, resulting in a steady stream of privacy policy and terms of service updates from leading technology firms. Still, not even the regulators are ready. With such a wide-reaching and widely interpretable set of regulations, it remains to seen what will happen as companies finally settle into compliance. For now, we can site back and enjoy the GDPR Hall of Shame.