The European Union’s stringent regime governing how data collectors gather and use its citizens’ information and give consumers more control took effect Friday. It’s known as the General Data Protection Regulation and covers any company that has EU residents’ personal data. That means businesses from neighborhood restaurants and hotels to Amazon to Google have been scrambling for months to make sure they comply to avoid penalties that can go as high as nearly $25 million or 4 percent of global annual revenue -- a hefty sum for the likes of Facebook, which endured a tough round of questioning by EU politicians just days before the rules took effect demanding to know how the social-media titan will apply the new rules.
1. What does the GDPR do?
Companies have to post clear notices for users and get their “unambiguous” consent to collect data, instead of burying an OK inside fine print and legal jargon. That means the EU no longer tolerates the confusing “terms and conditions” that must be agreed to while signing up for a fitness tracking app or ordering groceries online. (Whether you’re actually seeing all the emails and absorbing everything in them is, of course, up to you.) The new rules are also supposed to make it easy for consumers to refuse for their data to be used for direct marketing purposes, as well as to retrieve their data and give (or sell) it to another business. Collection of data on children under the age of 16 without parental approval is banned.
2. What types of data are we talking about?
Anything the EU has determined to be “personal data.” If it’s sensitive in nature and can be linked to a person, it falls under this umbrella of protection. This includes credit card numbers, travel records, religious affiliations, web search results, biometric data from wearable fitness monitors, and internet (IP) and personal computer addresses. It doesn’t include news articles, legal actions or public records.
3. Who must follow these rules?
Any entity “processing” personal data by collecting it, storing it or disseminating it. This means it’s not just social networking sites, search engines and big online retailers. The rules also apply to information collected by schools, chat rooms, property management companies and even Scout groups.
4. What’s this going to cost firms?
A survey of Fortune 500 firms shows they are, on average, setting aside $1 million for the added technology costs. Just over a third of those polled are budgeting $501,000 to $1 million for new permanent staff. Firms listed in the FTSE 350 see technology putting them out 430,000 pounds ($600,000) and staffing another 201,000 to 400,000 pounds. Peter Fleischer, Google’s global privacy counsel, said May 14 that the search-engine giant had to update about 12.5 million contracts to comply. The company has been working on the new rules for well over a year.
5. What do they need to do to comply?
Firms and organizations with more than 250 employees have to hire a data protection officer, who is responsible for making sure the rules are followed through employee training and compliance audits. If a firm is smaller than 250 but collects large quantities of sensitive data, it will also need a DPO. If there’s a data breach, authorities must be notified within 72 hours and customers informed in a timely manner if the breach poses a risk to them. So situations like Uber’s attempts to cover up its 2016 data hack, or the slow release of information on Yahoo’s massive breach in 2013, are now punishable with huge fines.
6. What’s the penalty for non-compliance?
Fines of as much as $12.4 million (10 million euros), or 2 percent of annual worldwide revenue, whichever is higher. In cases of negligence or violating the conditions of consent and infringing on data subject rights, the fines can go as high as $24.8 million, or 4 percent of annual worldwide revenue, whichever is higher. If Google violated the rules, for example, fines could be more than $4 billion since its parent company, Alphabet, had more than $110 billion in revenue in 2017. In worst-case scenarios, the people responsible could face prison sentences. EU privacy regulators have been toothless for so long, that some of the more aggressive ones have promised they won’t shy away from making full use of their new fining powers. Whether they will really go up to the maximum fine remains a question mark, though. In any event, it’s likely that any legal action taken against deep-pocketed web service companies would be fought in the courts for years.
7. How will life change for consumers?
As of Friday, EU consumers shall have free access to the data that’s been collected on them and more information on how it’s being used. Data will be destroyed when it is no longer needed for the original task. To get to it, they can contact the data controller, whose contact info must be provided whenever information is collected. And because consumers now own their data, eventually they may be able to trade things like gift certificates from Zara in exchange for their shopping histories with J. Crew.
8. What data can consumers get removed?
Through the “right to be forgotten,” citizens can force organizations to erase information that was illegally gained, or no longer holds true. Data that serves no current purpose, or has been used for direct marketing, could also be on the chopping block. In some cases, consumers who don’t give permission for websites to use their information may not be allowed to post on social media or consumer review sites.
9. Will the U.S. ever pass its own version of the GDPR?
Facebook CEO Mark Zuckerberg told representatives of the EU Parliament on May 22 that the social-media company would apply the “spirit” of the GDPR globally, and companies do often prefer to have one set of rules so they don’t have to tailor products to comply with differing standards. And while he also faced questions from U.S. lawmakers on privacy safeguards in April, the likelihood of a comprehensive and aggressive overhaul like the EU’s is unlikely. Gridlock in Congress doesn’t help.
• EU’s GDPR website and a list of its terms and lingo definitions.
• An easily searchable version of the 11-chapter, 99-article GDPR.
• Germany, haunted by memories of being tracked by Nazi Gestapo and the East German Stasi, passed the first national data protection act in 1977.
• Bloomberg QuickTakes on how the GDPR is an issue in Brexit negotiations and privacy vs. security.
--With assistance from Jeremy Kahn.
To contact the reporters on this story: Kristy Westgard in New York at firstname.lastname@example.org;Stephanie Bodoni in Brussels at email@example.com
To contact the editors responsible for this story: Leah Harrison Singer at firstname.lastname@example.org, Anne Cronin, Nate Lanxon
©2018 Bloomberg L.P.