Europe’s new data and privacy rules take effect Friday, clarifying individual rights to the personal data collected by companies around the world for targeted advertising and other purposes. Years in the making, the rules are prompting companies to rewrite their privacy policies and in some cases, apply the European Union’s tougher standards even in the US and other regions where privacy laws are weak. Although they take effect as Facebook faces an enormous privacy crisis, that timing is largely coincidental.
Not much will change for you, at least right away; companies will keep on collecting and analyzing personal data from your phone, the apps you use and the sites you visit. The big difference is that now, the companies will have to justify why they’re collecting and using that information. And they’re prevented from using data for a different purpose later. So now companies have been flooding their users with notices that aim to better explain their practices and the privacy choices they offer. EU regulators have new powers to go after companies that get too grabby or that don’t tell you clearly what they’re doing with your data. Here’s a look at what the rules say and what they mean for consumers in the EU and elsewhere.
THE BIG DEAL WITH MAY 25
That’s when the EU’s General Data Protection Regulation takes effect. Instead of separate rules in separate nations across Europe, there’s now a single set for the entire EU. The new rules apply to all users in the 28-nation EU, regardless of where the companies collecting, analyzing and using their data are located. So the rules will affect giants such as Facebook and Google and small US businesses with just one European client alike.
WHAT DO THE NEW RULES SAY?
Companies have to use plain language to explain how they collect and use data. While companies generally aren’t changing what they’re doing, they are revising privacy policies to eliminate legalese. Google is embedding video (from its YouTube service, of course) to further explain the concepts.
GDPR spells out six specific ways that companies can justify the “processing,” or use, of personal data. Some are obvious, such as to fulfill contractual obligations — for instance, when an insurer pays out a claim. For other uses, such as ad targeting, companies can seek your consent. Those that aren’t sure they got consent properly are now going back to users.
There’s also a somewhat vague category called “legitimate interests.” It’s a catch-all justification that companies can fall back on to keep using data, though the company must show that its needs outweigh potential impact on users’ privacy, said David Martin, senior legal officer for the European consumer group BEUC.
Companies are also required to give EU users the ability to access and delete data and to object to data use under one of the claimed reasons. Firms have to clarify how long they retain data.
And the rules force companies that suffer data breaches to disclose them within 72 hours. By contrast, it took Yahoo more than two years to reveal a breach that ultimately involved three billion users.
FOR COMPANIES OUTSIDE EUROPE
Facebook, Google and their ilk may be headquartered in Silicon Valley, but they have millions of users in Europe — and so have to comply with the new rules. Violators face fines of up to 20 million euros ($24 million) or 4 percent of annual global revenue, whichever is greater. That’s an incentive for companies to take these rules seriously.
WHAT ABOUT USERS OUTSIDE THE EU?
Companies based in the EU have to offer these privacy protections to all their users, not just EU residents. Beyond that, the EU rules merely say they apply to “data subjects who are in the Union.” But it’s an open question how the rules will affect visitors to Europe. Ailidh Callander of the London-based group Privacy International says many questions will be tested in courts and further rulemaking.
What’s clear is that companies won’t have to be as aggressive getting consent for data collection outside of Europe. (Absent regulation, companies typically assume consent unless a user says otherwise.) They can hold off seeking affirmative consent until you visit the EU, at which point you might confront a pop-up notice.
A GLOBAL DOUBLE STANDARD
Some companies are extending at least some EU-style protections to all users. Among leading tech companies, Microsoft made the strongest promise to offer EU rights to users everywhere. However, companies outside the EU won’t face legal repercussions or fines if they fail to follow through with users outside the EU.
So unless the US and other countries adopt privacy rules similar to those in the EU— something that’s not likely any time soon — many companies are likely to maintain double privacy standards.
Facebook CEO Mark Zuckerberg, for instance, promised “global settings and controls” for users during his US congressional testimony in April, but was otherwise vague on the subject. When asked if US users would have the same rights Europeans have to object to the use of data, Zuckerberg said, “I’m not sure how we’re going to implement that yet.”
But segmenting EU customers from the rest of the world isn’t easy, especially for smaller companies without Facebook’s or Google’s technical prowess. “It might seem like a smart move, but in some cases, it’s more work,” said Larry Ponemon, founder of the privacy research firm Ponemon Institute.