By Brian Santo, contributing writer
The European Union just spent the last four years working to standardize the privacy laws of its 28 member-states to provide protection of citizens’ privacy consistently across the continent. Europe adopted the new regulations in April, and they’ll go into effect next May. The new rules apply to pretty much every company doing business in Europe.
The single-most easily grasped difference between Europe’s old patchwork of national laws and the new continental regime is this: The new laws have teeth. Before, companies that violated privacy protections might have faced some weak fines at worst. After the new laws kick in, violators will be on the hook for up to 4% of annual turnover, or €20 million (roughly $24 million), whichever is greater.
Interest in privacy matters goes back decades in Europe. The current regulatory regime, known as the Data Protection Directive (DPD), was originally established in 1995 but was built on a set of guidelines agreed upon in 1980. The new law, replacing the DPD, is the General Data Protection Regulation (GDPR). A directive is considered a goal that must be met, whereas a regulation is a binding legislative act.
The shorthand for one of the biggest changes from the DPD to the GDPR is “extra-territorial applicability.” In the past, some companies with European customers would avoid privacy regulations by processing customer data in jurisdictions where the GDPR did not apply, and some non-European companies argued that the guidelines didn’t apply to them in the first place. The updated version makes it clear that the law hinges on the location of the citizen, not the location of the company. If a company has customers in Europe, GDPR rules apply, regardless of where the customer data is processed or where the company is headquartered.
Another change involves the process of securing customer consent for collecting and using customer data. Companies will have to explain in plain language (as opposed to legalese) what they are asking. The Europeans are still wrangling about opt-in rules and which types of industries will have to support opt-in regulations, but there seems to be general agreement that the default position is opt-in.
Companies must notify customers of breaches within 72 hours of first becoming aware of the breach. In the U.S., there are no federal laws compelling companies to announce breaches, though some states have adopted such measures. In practice, U.S. companies have often waited months before acknowledging breaches and sometimes do so only when forced to by circumstances.
Also, European citizens will gain the right to find out whether or not personal data concerning them is being processed, where, and for what purpose. Citizens will also have the right to be forgotten — to have their data erased.
The regulations are fairly simple to summarize, but there will be complications in application. For example, citizens will get the right to make their data portable — to move it from one company to another — but there will be exceptions, for example, when their data is considered part of a vendor’s intellectual property. Such tension between regulatory goals and corporate practices will almost certainly end up having to be resolved in future legal proceedings.
Meanwhile, in the U.S. , companies such as Yahoo, Target, and Anthem have experienced few, if any, consequences for practically giving away the records of hundreds of millions of their customers. Recently, Equifax just left more than half of all American adults at risk of the worst kinds of identity theft; the departing CEO will receive bonuses that could amount to $18 million over the next two years.
Advertisement
Learn more about Electronic Products Magazine
