18 May, 2018
On May 25th, the European Union’s new General Data Protection Regulation (GDPR) is scheduled to take effect. The law—designed to give users more control over how their data is collected, stored, shared, and used—will replace its 1995 predecessor, the Data Protection Directive (DPD).
The old regime
At the time of passage, the DPD was a landmark piece of legislation. Never before had such an effort been directed toward the privacy rights of internet users across the entire European Union (EU). The DPD is based on seven key principles put forward in 1980 by the (huge mouthful incoming) Organization for Economic Cooperation and Development’s (OECD’s) Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-border Flows of Personal Data. Those principles include notice, purpose, consent, security, disclosure, access, and accountability.
The OECD’s principles served as non-binding guidelines for EU member nations, however, and over time the fact that nations could pick and choose what to follow became increasingly problematic. Data and privacy laws varied across the continent, which undermined the ease of doing internet-based business abroad. In an effort to solve this problem, the DPD wrote the guidelines into law. It further dictated how member nations would manage and protect user data and privacy—a directive that also applied to any international controllers operating equipment within the EU for the purpose of data collection. This meant that even companies outside of its jurisdiction would be obligated to comply if they wanted to do business in the EU.
Although this was a giant step forward, problems from the old regime carried into the new—implementation and enforcement was still messy and expensive—and in 2012 the European Commission submitted a proposal for comprehensive reform. The need for something even more modern, efficient, and collaborative became necessary.
Privacy by design
The GDPR was passed in 2016, and its ambition is to harmonize the EU under a single, comprehensive framework that ensures privacy by design and by default. It accomplishes this by expanding on existing regulations like the DPD and the Privacy Shield. The result is that internet users across the globe will have much greater control over their personal data, and in theory the consumer trust generated by the law will make everyone more comfortable enjoying the benefits of the digital economy.
The Verge reports that there are two key ways the GDPR extends its reach. “First, the GDPR sets a higher bar for obtaining personal data than we’ve ever seen on the internet before.” In practice this means more consent boxes, clearer Terms of Service language informing consent, the ability for users to revoke that consent, and improved data portability. The law also covers all EU citizens—not just companies and subsidiaries doing business within its borders—and as a result nearly all online services will be affected. Other features include a requirement that companies report breaches to users within 72 hours of discovery, opt-in “parental responsibility” settings to protect children under 16 from data collection, and the “right to be forgotten” that allows users to have their personal data scrubbed from the internet entirely.
Secondly, the baby teeth enforcing the previous regime have developed into some serious canines. Maximum fines for non-compliance are either 4 percent of annual turnover or a jaw-dropping €20 million—whichever is greater. The bottom line is that if companies don’t want to risk their… well… bottom line, then they’ll have to conform religiously to the GDPR’s demands.
TechCrunch explains the need for this massive step-up in penalties: “In the UK, for example, the Information Commissioner’s Office can currently impose a maximum fine of £500,000. Compare that to the annual revenue of tech giant Google (~$90 billion) and you can see why a much larger stick is needed to police data processors.”
Although the new regulations and penalties encourage a much safer online environment for users, not all companies are having an easy time with compliance. According to CNN Tech, small businesses in particular have been struggling in advance of the deadline, even to the extent that some have been forced to shut down their operations in Europe.
Adapting to the GDPR requires lots of manpower, and many small businesses like mobile marketer Verve, online game producer Uber Entertainment, and Czech internet company Seznam.cz cannot afford to hire the lawyers, data experts, and programmers necessary to restructure and maintain their businesses. The void left by these companies will funnel data traffic through larger companies who can afford to make the transition: “experts say that the world’s biggest companies are spending tens of millions of dollars to prepare. Smaller companies that do not have the same resources are struggling.”
The GDPR also impacts advertisers. Whereas third-party partners used to enjoy relative freedom to share data and operate behind the scenes, they are now beholden to a higher transparency standard. This arena is notoriously complicated, and legal ripples affecting the data supply chain will be seen long after implementation.
Other companies, however, are working to skirt the regulations. According to Reuters, Facebook—whose international headquarters are located in EU member nation Ireland—is trying to limit their compliance to European users only, exempting 1.5 billion users in Africa, Asia, Australia, and Latin America. The company argues that despite reticence to comply, their own data operation is the same in spirit—if not in practice—and is working towards the same result either way.
The way of the future
Despite the challenges inherent to this level of change, the users and companies alike stand to gain enormous benefits from enhancing online best practices. Independent of the GDPR, data privacy is the way of the future. Many companies collect personal data without compensating users or giving them a say in how their data is used—but many companies are also rising to the occasion.
VeriToken, for example, flips the script, allowing users to dictate how their data is used, who can see it, and how much they can charge for it. Our mandate at VeriToken is to build a much-needed layer of trust and transparency in the digital space with a blockchain-verified database of personal information that gives the power back to the people. We’re not saying the GDPR was our idea, but we’re one of a growing number whose ideas are consistent with the forward direction of global commerce.
There’s still a long way to go before the full effects of the GDPR are felt—it hasn’t even happened yet! But just as rising sea levels lift all boats, so too does the GDPR compel improved personal data protection around the world.
Image: Regulation GDPR Data by TheDigitalArtist, Pixabay.