A new European data regulation that just a month ago seemed like an obscure piece of legislation is suddenly on the lips of everyone in the tech industry.
Already touted as “the most important change in data privacy regulation in two decades,” the General Data Protection Regulation, or GDPR, goes into effect on May 25 — unintentionally good timing as it comes on the heels of a scandal that revealed that academic researchers had harvested the data of tens of millions of Facebook users and that data was allegedly misused by Cambridge Analytica, a data mining firm linked to Donald Trump’s 2016 presidential campaign.
The revelation exposed the vulnerability of user data and shook the confidence of Facebook users, many of whom threatened to wipe out their accounts as part of a mass exodus #deletefacebook campaign.
With Facebook in full damage control, the incident brought fresh calls for stronger personal data protection to the forefront of national discourse in the United States.
Meanwhile, the 28 member states of the European Union are adopting a more hands-on regulatory approach to ensure that the private data of its citizens remains just that — private.
Approved on April 14, 2016, the new rules treat personal data protection as “a fundamental right” — a utopian concept for consumers that are used to 3,000-word terms of service agreements, automatic opt-ins and data breaches that lead to little in the way of corporate punishment.
Data transparency: Who, where and why
In a drastic shift in data transparency, the GDPR will give an individual the right to find out whether, where and for what purpose their personal data is being processed.
“Organizations, corporations and the government know too much about us, and what GDPR will do is provide controls that say, it’s fine that you know something, but you have to justify why you want to know it,” said Seb Matthews, a data privacy consultant with U.K.-based extaCloud.
Under the GDPR, individuals are entitled to have their personal data erased or not disseminated further, including potentially halting third parties from processing the data. They can choose to move their data and can object to having it processed for direct marketing purposes.
The definition of “personal data” is also quite broad. It includes anything from an individual’s name to their location to an online identifier, such as an IP address or browser cookies that can track web activity. An individual’s physical, physiological, genetic, mental, economic, cultural or social identity is also protected.
Under GDPR will Google/publishers need to ask people if they consent to having their data used by AdMob, AdSense, AdWords, DoubleClick Ad Exchange and DoubleClick for Publishers? What if they say no?
— Olivia Solon (@oliviasolon) April 20, 2018
If a data collector, whether a business or a government agency, wants to use this data, it will have to obtain consent in a clear and accessible way. No more convoluted legalese or fine print.
“You now have to have an extremely unambiguous, informed consent before the data is used,” said Stuart Lacey, head of the customer data rights management company Trunomi, which provides GDPR-related technology and solutions.
“It has to be specific, immediate and clearly articulated in language that people can understand,” Lacey said.
Should personal data be breached, GDPR dictates that authorities have to be notified within 72 hours after a company becomes aware of the issue. That’s welcome news for people fed up with reading about companies that have not reacted to data breaches with the proper urgency.
Failure to comply with the GDPR also comes with a hefty penalty. Companies that violate the new rules can be fined up to 4 percent of their annual global turnover or 20 million euros (nearly $25 million), whichever is greater.
Matthews, who consults businesses on how to be ready for the GDPR, said the hefty fines will give the new rules some teeth.
“This ability to throw enormous fines — that’s a whole different level of impact when organizations fail to justify their behavior,” Matthews said.
He said this kind of “fear factor” is why previous legislation has not been very successful and created the need for the GDPR.
Would GDPR have stopped Cambridge Analytica?
The Cambridge Analytica scandal provides a practical example of how GDPR might look in action, particularly since experts who spoke to NBC News were divided over whether the new rules would have changed what happened.
“If you zoom away from the specifics of what Cambridge Analytica did, they had a data set that was for sale,” Matthews said. “Things like that become very hard to do with GDPR in place. Simply justifying why you gathered that data would be very hard.”