The EU’s General Data Protection Regulation comes into force this week – here’s what it means
Facebook’s Lulea data centre in Sweden. The EU’s new data regulations promise consumers more say, but could also entrench the dominant powers. Photograph: David Levene for the Guardian
But GDPR is far more than just an inbox-clogger. The regulation, seven years in the making, finally comes into effect on 25 May, and is set to force sweeping changes in everything from technology to advertising, and medicine to banking.
What is GDPR?
The law is a replacement for the 1995 Data Protection Directive, which has until now set the minimum standards for processing data in the EU. GDPR will significantly strengthen a number of rights: individuals will find themselves with more power to demand companies reveal or delete the personal data they hold; regulators will be able to work in concert across the EU for the first time, rather than having to launch separate actions in each jurisdiction; and their enforcement actions will have real teeth, with the maximum fine now reaching the higher of €20m (£17.5m) or 4% of the company’s global turnover.
GDPR affects every company, but the hardest hit will be those that hold and process large amounts of consumer data: technology firms, marketers, and the data brokers who connect them.
Even complying with the basic requirements for data access and deletion presents a large burden for some companies, which may not previously have had tools for collating all the data they hold on an individual.
But the largest impact will be on firms whose business models rely on acquiring and exploiting consumer data at scale. If companies rely on consent to process data, that consent now has to be explicit and informed – and renewed if the use changes.
How does it affect the tech titans?
The world’s largest companies have updated their sites to comply with GDPR. Facebook launched a range of tools to “put people in more control over their privacy”, by unifying its privacy options and building an “access your information” tool to let users find, download and delete specific data on the site. The company also forced every user to agree to new terms of service, and took the opportunity to nudge them into opting-in to facial recognition technology.
Apple revealed a privacy dashboard of its own – although the company proudly noted that, unlike its competitors, it does not collect much personal data in the first place and so did not need to change much to comply. Google took a different tack, quietly updating its products and privacy policies without drawing attention to the changes.
What does it mean for me?
You have the power to hold companies to account as never before. If individuals begin to take advantage of GDPR in large numbers, by withholding consent for certain uses of data, requesting access to their personal information from data brokers, or deleting their information from sites altogether, it could have a seismic affect on the data industry.
But can I ignore all those emails?
Almost certainly. Companies have generally sorted in one of two camps, depending on what legal advice they’ve taken. On the one hand are those who argue they have a “legitimate interest” in processing your data, and just feel the need to notify you of the forthcoming changes to their terms and conditions; on the other are those who believe they need explicit consent from you to keep in touch. Either way, the worst case scenario is usually that ignoring an email will mean you receive fewer in the future. And if you do miss out, you can always resubscribe.
What will the long-term effect be?
Even without user pressure, the new powers given to information commissioners across the EU should result in data processors being more cautious about using old data for radically new purposes.
Counterintuitively, though, it could also serve to entrench the dominant players. A new startup may find it hard to persuade users to consent to wide-ranging data harvesting, but if a company such as Facebook offers a take-it-or-leave-it deal, it could rapidly gain consent from millions of users.
Will it work?
“The rules will always be bent, if not broken, by companies seeking to gain a competitive advantage,” says Ben Robson, a partner at legal firm Oury Clark. “But the newly introduced principle of demonstrable accountability and the unprecedented scale of penalties made available to the regulators should constitute a greater deterrent against breach and a shift from the current, relatively toothless and largely ignored, regime.”
Is this the end of it?
Not by a long shot. The early days will probably be marked by a flurry of court cases, as individuals and firms argue whether or not their interpretation of the requirements is the correct one.
Is this worldwide?
GDPR applies only to the EU, but given the scale of the market, many companies are deciding it’s easier – not to mention a public relations win – to apply its terms globally. Apple’s privacy tools are worldwide, for instance, as are Facebook’s (although the latter won’t promise to apply every aspect of GDPR globally, noting that the rules may clash with privacy regulations in other jurisdictions).
What happens after Brexit?
The regulation will shortly be part of UK law, thanks to the data protection bill that has been working its way through parliament since September 2017, and the government has committed to maintaining it following Brexit. In theory, a future government could change the law again – but even then, any British company wishing to do business with Europeans would have to follow the regulation.