Editor’s Note: This post was a collaboration between graduate student Smirity Kaushik and assistant professor Yang Wang.
Have you noticed that recently many companies such as Google, Spotify, and LinkedIn have sent emails or alerts notifying you about changes in their privacy policies? Why are they all doing that? Well, companies around the world are getting ready for what may be considered a new era of privacy legislation, the introduction of the General Data Protection Regulation (GDPR).
What is GDPR?
Beginning on Friday, May 25, 2018, the GDPR will be enforced on the 28 member states of the European Union (EU). The GDPR is the EU’s latest, sweeping data protection regulation that replaces the existing Data Protection Directive 95/46/EC. The GDPR is designed to harmonize data privacy laws across Europe.
Why is GDPR important?
While the GDPR only protects EU citizens, its impact goes far beyond Europe and can be global in nature. Yes, American users will also be affected. Many companies such as Google, Facebook, and Amazon have already started to reshape their privacy policies and practices to comply with the GDPR. These companies serve users around the world, so all users can be affected. For instance, in a recent hearing before the House Committee on Commerce and Energy, Mark Zuckerberg stated that the changes Facebook is making in response to the GDPR will be available worldwide. So, these changes will not only affect EU users but also users from other countries.
From a company’s standpoint, if it is not in compliance with the GDPR, it may face severe penalties, including fines, minimum 2% or 10 million euros and maximum up to 4% percent of global revenue, or 20 million euros or more, whichever is higher. These hefty penalties create strong incentives for companies to examine and update their privacy policies and practices to comply with the GDPR. There is also a rapidly growing industry that offers GDPR compliance tools and/or services to companies.
What exactly does GDPR require or prohibit?
The GDPR applies to two categories of organizations in any sector: a) those that employ EU citizens; and b) those that collect, process, and store data about EU citizens. Furthermore, the legislation states that the organizations should take user consent to collect data and “implement appropriate technical and organizational measures” to protect EU citizens’ personal data. In this case, personal data includes two types of information: a) personally identifiable information such as name, location data, social security number; and b) other information related to genetic, economic, cultural or social identity. In addition, the legislation requires encryption of personal data, regular privacy impact assessments, mapping of sensitive data within the database as well as confidentiality, integrity and availability of personal data.
Importantly, the GDPR provides data ownership to EU citizens by offering them robust privacy rights such as Right to be Forgotten, Right of Access to Data, Right to Data Portability, and Right to Explanation of Automated Decision-Making.
For example, if a user wondered how Facebook is able to show ads about the exact pair of shoes that she was shopping for on Amazon. The user can now ask Facebook about how they had that information about her, for what purpose they collected that information about her (Right to Access Data), how they profiled her based on the information collected (Right to Explanation of Automated Decision-Making); and object to profiling her based on the activities she performed on the web (Right to Object). Take the Right to be Forgotten (RTBF) as another example. A user who searched herself using online search engine such as Google found that the results included links from an old newspaper article about the debt she had paid long ago. Under RTBF, she could ask Google to delete those links from the search results. The EU citizens can also approach the Data Protection Authority (DPA), a dedicated government agency for protecting citizen privacy, established in their specific home country to redress the grievance in case of company non-compliance or increase citizens’ general awareness about these rights. For instance, the United Kingdom-ICO (Information Commissioner’s Office) provides comprehensive information to the public about their rights under the GDPR and how to exercise these rights.
Will the GDPR only affect Europe?
Again, the answer is no. While central to Europe, the impact of GDPR is global as it will apply extraterritorially to any organization outside the European Union that collects or processes the information of EU citizens. If companies like Facebook are making their GDPR-related services to all users, then users across the world may be able to exercise some of the privacy rights offered by the GDPR, such as the Right to be forgotten (Art 17), Right of access by data subject (Art 15) and the Right to data portability (Art 20), among other individual rights offered under chapter III of the GDPR.
GDPR in action – some examples
Many companies recently rolled out new privacy features on their platforms in response to the GDPR. Here are two examples from Twitter and Google, respectively.
Twitter in its recent privacy-related email mentioned that people can now more clearly see and control how their data is shared with its business partners. These changes are reflected in its interface. For example, near the very bottom of Twitter’s settings menu, there is now a button called Your Twitter data. Here, the user can see the number of advertisers that are trying to target the user based on her interests. She can also opt out of this so-called interest-based advertising.
In a nutshell, the GDPR introduces accountability, transparency, and fair processing of personal user data for purposeful use on part of the organizations. It also gives data ownership to the users to actively engage in the processing of their personal data and exercise privacy rights such as Right to be Forgotten, Right to Access of Personal Data, and Right to Explain Automated Decisions, e.g. profiling. The GDPR has begun a new phase of creating general awareness about user privacy and data protection that transcends the continental boundaries. People around the world, not just EU citizens, could directly or indirectly benefit from this landmark legislation.