- 1 Who and what does the GDPR apply to?
- 2 I'm not European, why should I care?
- 3 What rights are granted by the GDPR?
- 4 What does it enforce on companies that handle personal data?
- 5 So what are the upsides?
- 6 What companies have already implemented changes?
- 7 Ok, what's the TL;DR?
The 88-page document encompasses 99 articles and covers topics such as the right to be forgotten, consent management, data portability, and protocols for handling data breaches. It's a reasonably lengthy document with its fair share of legal jargon, so we'll attempt to break it down and go over who it affects, what requirements it enforces, and which rights it confers. (Disclaimer: I am not a lawyer, and this should not, in any way, be taken as legal advice.)
Who and what does the GDPR apply to?
The laws are obviously applicable within the European Union's borders, but things are never really that simple. For starters, it applies only to individuals who are in the EU, even if they are just passing through on vacation. It also does not necessarily apply to EU citizens, so a Frenchman living in the US is not protected by the GDPR.
On the flip side, it will be enforceable on any company that processes data on at least one person in the EU, regardless of whether that company is European or even if it has any physical presence within the EU at all. The regulation's definition for what constitutes "processing" of personal data is very wide in scope, and includes any operation performed on personal data, such as "collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction" (Art. 4).
The definition of personal data is no less broad. The regulation characterizes it as "any information relating to an identified or identifiable natural person" (Art. 4). In plain English, that means any data that either relates to a given individual — such as their nationality, gender, or income — or that is specific enough to be able to directly or indirectly identify an individual — such as their name, identification numbers, address, or potentially even a very rare medical condition. It is worth highlighting that the regulation is only applicable to personal information. If the information cannot be considered personal in the sense defined above, it is not protected by the GDPR.
One of the more drastic changes introduced with the GDPR is the severity of the fines involved. A company that fails to comply with the regulation can be fined up to €20 million or 4% of the total worldwide annual turnover, whichever is largest (Art. 83). That's why so many companies are scrambling to get ready for the GDPR by May 25th, the day it goes into effect. And since the EU is such a big player in the global economy, boasting a GDP of $17 trillion and a population of more than half a billion, dropping out of the European market just isn't an option for most companies.
Oh wow. That's REALLY thinking outside the box. pic.twitter.com/sBLr5a4UAh
— @mikko (@mikko) May 4, 2018
The "screw it" approach to compliance
I'm not European, why should I care?
Even if you've never been to Europe and don't plan on visiting, the GDPR will still inevitably affect you. In fact, you've probably started experiencing some of the effects of the GDPR already. Countless companies, from Microsoft to Twitter to Facebook to LinkedIn to Google, have all been updating their terms of service and privacy policies, sending out emails en masse to users, notifying them of the changes.
The GDPR will also have very direct consequences even for those outside the EU
The GDPR will also have very direct consequences even for those outside the EU. For example, Facebook has already confirmed it would be extending some of the GDPR's requirements to users in the rest of the world, such as the regulation's beefed-up privacy controls, despite not being legally required to do so. The fact is that it's likely a lot easier, cheaper, and simpler for companies to implement the same privacy options across all their users instead of having to manage different rules for different sets of users. It won't be surprising to see other companies follow suit and provide everyone with at least part of the increased data protection afforded by the GDPR.
In a more indirect sense, the GDPR will influence how we view the way companies handle our data and what we will come to expect from them. However you look at it, the GDPR will necessarily have significant ripple effects around the world.
What rights are granted by the GDPR?
The GDPR grants European residents several rights, which can reasonably be boiled down to a list of seven. Many of these rights are genuinely new, while others have already existed in the EU for a while.
Right to transparent information (Art. 12–14)
The right to 'transparent information' can be summed up simply as the right for a user to know how a company is using their data. More specifically, at the time when user data is obtained, companies are required to inform users of the following:
- the identity and contact details of the company, as well as of its representative, where applicable.
- the contact details of the Data Protection Officer of the company (explained in more detail below).
- the purposes and legal basis for processing a user's information.
- the recipients of a user's data, if any.
- when applicable, the fact that the company intends to transfer personal data to a third country or international organization.
- the period for which a user's data will be stored, or the criteria used to determine that period when it cannot be specified beforehand.
- the user's rights with regard to their data, namely the rights to access, rectify, and erase personal data, the rights to restrict or object to processing of personal data, and the right to data portability.
- the user's right to withdraw consent of processing of personal data at any time, provided that processing is not necessary for legal reasons (such as in the case of a contract involving the user or in order to protect the vital interests of some person, in which case the company is also required to inform users of this fact).
- the user's right to lodge a complaint with the supervising authority.
- if and how "automated decision-making" is performed with a user's data, such as profiling.
In addition to this, if the data has not been directly obtained from the user (such as when it is obtained through a third party), companies must also inform users of the types and sources of the personal data obtained.
The right to transparent information also establishes that companies must comply with a request from a user regarding any of the rights listed below "without undue delay" and within one month of receiving the request, with the possibility that the period may be extended by up to two additional months in exceptional conditions, such as the complexity or number of the requests.
As a safeguard for when companies receive requests from an individual that are "manifestly unfounded or excessive," a company may either refuse to comply with the request entirely or charge a "reasonable fee," based on the administrative costs associated with acting on the request.
Right of access (Art. 15)
This right of access allows users and customers to know whether a company processes their personal data, and, if so, to access that data, as well as information on how and why that data is being used.
Right to rectification (Art. 16)
The right to rectification entitles users to request that inaccurate information concerning them be corrected, as well as have incomplete information completed.
Right to be forgotten (Art. 17, 19)
The right to be forgotten establishes that individuals should be able to request that a company cease to process and erase any and all personal data concerning them, as long as at least one of a specific list of conditions are met. These conditions are that:
- the data is no longer necessary for the purposes for which they were collected.
- there is no legal requirement for the processing of data.
- the data was unlawfully processed.
- the data must be erased to comply with a legal obligation.
- the data relates to a person who is legally a minor.
There are also some cases in which the right does not apply, namely when processing of the data is necessary for:
- exercising the freedom of expression and information.
- complying with a legal obligation.
- reasons of public interest in the area of public health.
- archiving purposes in the public interest, or for scientific, historical, or statistical purposes.
- the establishment, exercise, or defense of legal claims.
This right isn't new at all — its conception goes back at least to 1974 with the Rehabilitation of Offenders Act in the United Kingdom. Its purpose is arguably a worthy and noble one: that people who are convicted of relatively minor offenses should not be indefinitely penalized with a permanent stain on their records. In other words, once a conviction has been 'spent,' it should not have to be disclosed when the individual applies for a job or obtains insurance, for example.
However, the right gained some notoriety in 2014 when a man named Mario Costeja González filed a lawsuit against Google because he was unsatisfied with the results he found when Googling himself. Costeja had requested that Google remove links to a 1998 newspaper with an announcement of the forced sale of a property belonging to him. Google refused to comply with the request, citing that Costeja did not have the right to erase lawfully published material, but the court ultimately sided with Costeja, and Google was forced to remove the links. It was also around this time that the right started becoming known as the right 'to be forgotten.'
Ironically, Costeja's suit ended up bringing much more attention to the news article he was trying to hide in the first place. He even attempted to have links about his case against Google removed from the search engine, but was denied by the Spanish Data Protection Authority. Someone would have done well to warn him of the Streisand effect before he decided to sue the biggest search engine in the world.
The inclusion of the right to be forgotten in the GDPR is significant, making it applicable even outside the EU's borders. A case like Costeja's will now require Google to not only remove offending links served through the Spanish version of the search engine, but also in every other region, including the United States. And while the right does provide some exceptions for information that is of public interest (such as with politicians), it isn't hard to see how it could be abused and how it undermines and contradicts the right to freedom of information.
Right to restriction of processing (Art. 18, 19)
If an individual wishes to pause processing of their personal data instead of having it deleted entirely, they may also choose to do so. This section of the document grants individuals the right to request that personal data temporarily cease to be processed in any way (with the exception of storage processing) in any of the following situations:
- the accuracy of the data is contested by the individual, and the company must be allowed some time to verify its accuracy.
- the processing is unlawful.
- the company no longer needs the data, but it is still required by the individual for the establishment, exercise, or defense of legal claims.
- the individual objects to processing of their data, and the company must verify that there are no legal requirements that override the request.
Right to data portability (Art. 20)
Users are also allowed to receive their personal data in a structured, machine-readable format and be able to transfer it to any other company if they wish. There are a some conditions for the type of data processing to which the right is applicable, namely that the processing is based on consent given by the individual (e.g. users don't have a right to portability of their criminal records) and that the processing is carried out automatically (portability requests on manually processed data would be unreasonably cumbersome, since they would require converting analog data into a digital format).
Interestingly, this right will allow users to easily migrate all their data from one service to another. This may be a potential game-changer for companies like Facebook, who, to some extent, rely on the difficulty of switching to a competitor to keep users stuck to their service.
Right to object (Art. 21–22)
The right to object includes provisions allowing for individuals to object to the use of their data in "automated decision-making processes" such as profiling or targeted ads. It also allows users to object to have their data used for direct marketing purposes.
What does it enforce on companies that handle personal data?
In addition to having to accept requests from users concerning their rights, companies that handle personal data will now be under a lot more scrutiny and must take several proactive measures to protect user data.
Data Protection Officer (Art. 37–39)
The GDPR introduces a new, high-level enterprise leadership role called the Data Protection Officer (DPO) who reports directly to upper management. The job of the DPO is to supervise all matters concerning the protection of personal data within an organization. One of the main tasks of the DPO is also acting as a point of contact for individuals who have an issue related to the processing of their personal data. Importantly, companies will not be able to use their DPO as a scapegoat in the event of a data breach or similar incident, nor will they be able to penalize or dismiss the DPO for performing his or her duties.
The regulation specifies that a DPO must be designated by any company whose core activities "require systematic monitoring" of individuals on a "large scale" or that handles "sensitive" data (e.g. biometric data, data on individuals' personal beliefs, or criminal records). The requirement is slightly vague, but it's pretty clear that every company from Google and Facebook to mid-size banks and retailers will fall under that definition. On the other hand, websites (such as this one) that collect little more than cookies from their users probably don't necessitate a DPO.
The tasks of the DPO include:
- informing and advising the company and its employees on GDPR compliance.
- monitoring GDPR compliance within their company.
- cooperating with the supervisory authority and acting as a point of contact on issues relating to processing of personal data.
- executing "data protection impact assessments" (Art. 35) to gauge the potential risks involved in and prior to carrying out particularly impactful operations, such as a large data migration.
It is possible for the DPO to take on other duties besides those placed on them by the regulation, as long as those duties do not result in a conflict of interests. However, given that their responsibilities are already more than enough for a full-time job, most mid-size to large companies will likely opt to have a dedicated individual as their DPO.
Consent management (Art. 7–8)
This may finally kill off those 30-page-long terms of service contracts
The way organizations can collect consent from individuals on how the process personal data also suffers a few changes in light of the GDPR. Consent must be freely given, unambiguous, and limited to specific purposes, and it must be "as easy to withdraw as to give consent." More significantly, the GDPR states that when consent is given through a "declaration which concerns other matters" (e.g. a lengthy terms of service contract), it should be presented in a way that is clearly distinguishable and using "clear and plain language." Any part of the declaration which does not abide to these rules will be considered non-binding. This may finally kill off those 30-page-long terms of service contracts which no one reads or understands — going forward, it should be much clearer what a user is consenting to.
With regard to obtaining consent from minors, the processing of personal data is only lawful for children who are at least 16 years old, though parents or legal guardians can grant consent for children under that age. Each member state of the EU may choose to legally establish a lower age bound, as long as it is not below the age of 13.
Handling of data breaches (Art. 33–34)
Data breaches are unfortunately an increasingly common occurrence. It should therefore come as no surprise that the GDPR includes a considerable focus on what to do in the event that a personal data breach occurs and on recommendations to minimize its impact.
Companies that process personal data must ensure that steps are taken to avoid data breaches and their potential damage by implementing several security measures, such as:
- limiting internal access to data to those employees who need access to the data.
- minimizing the amount of data kept on individuals to that which is strictly necessary.
- encrypting data in storage and transmission.
If and when a data breach does occur, an organization must:
- notify the supervising authority no later than 72 hours after becoming aware of it, including information on:
- its nature and the types of data involved in the breach,
- the approximate number of individuals affected,
- the likely consequences of the breach,
- the measures taken or proposed to be taken to address the breach.
- communicate the breach to the affected individuals as soon as possible.
Transfer of data to third parties (Art. 28–29)
In the wake of the Cambridge Analytica scandal, it is particularly relevant that companies be aware of and responsible for how third parties use and handle their customers' personal data. When establishing a contract allowing a third party to access and process personal data, the company must ensure that:
- third parties only share information with other "fourth" parties after obtaining specific authorization (directly addressing what happened in the case of Cambridge Analytica).
- third parties only process users' personal data under documented instructions from the company.
- any person authorized to access or process personal data has committed themselves to confidentiality.
Transfer of data outside the EU (Art. 44–47)
The GDPR is not too restrictive on allowing for personal data to be processed or transferred to servers outside the EU's borders, as long as certain criteria are met. The European Commission will publish a continually-updated list of countries, territories, or international organizations to which a company can transfer its users' data (without detriment to the regulation's other requirements), based on factors such as the country's rule of law, respect for human rights and freedoms, and relevant legislations. Essentially, there shouldn't be any issues transferring data to the United States, but there might be when transferring user data to authoritative military dictatorships.
In the event that a company wishes to transfer data to a country or territory not on the official GDPR-sanctioned list, it can still do so provided it takes appropriate safeguards.
So what are the upsides?
The advantages to the GDPR's new rules are many, particularly for the average user, but also for companies that process personal data. From the point-of-view of the user, the regulation provides them with more rights, more transparency from companies, and potentially more competition between companies and services due to data portability (since now companies don't own a user's data and are required to give it to the user upon request). Within the EU, the GDPR also has the added benefit of creating a more harmonious legislation.
On the other hand, while compliance with the regulation can undoubtedly be seen as a chore by many companies, it also creates an incentive to have data stored in a more structured and accessible fashion, instead of having it distributed haphazardly across multiple systems. A more organized database, along with users' right to rectification, will likely improve overall data quality — an incredibly valuable asset for companies. On the other hand, clearer consent from users will also result in a greater return-on-investment for marketing campaigns. For startups and small companies that want to go up against Goliaths, having new users easily port their own data to their services will certainly be a boon.
What companies have already implemented changes?
Surprisingly (or perhaps not so), many — if not most — companies and organizations will probably not be 100% GDPR compliant by the deadline. A quick search on LinkedIn's job listings reveal hundreds upon hundreds of companies still looking to fill the position of a Data Protection Officer, arguably one of the first requirements in reaching compliance with the regulation.
On the other hand, European regulators aren't prepared to begin enforcing the GDPR, either. According to a Reuters survey from earlier this month, as many as 17 out of the 24 respondents said they "did not yet have the necessary funding, or would initially lack the powers, to fulfill their GDPR duties." Given how far behind both businesses and regulators are with regard to the GDPR's requirements, it's extremely likely we'll only see a sort of 'soft launch' on Friday. As companies gradually get their ducks in a row, regulators may decide to begin shifting from handing out warnings to scaling up to fines.
Some larger companies, such as Google and Facebook, seem to be further along in terms of compliance than others, mainly due to already complying with many requirements before the GDPR had even been drafted. Google, for example, recently published a detailed view of the changes it's made to comply with the GDPR, most of which are available for non-EU users as well. Google's My Account page, which allows users to access their recent activity and ad preferences has been updated with better controls and additional clarity. Data portability, which Google first provided back in 2011 with the 'Download your data' tool, now supports even more Google services and an option to schedule regular downloads. To better handle parental consent for users who are minors, Google is also rolling out Family Link throughout the EU.
Mark Zuckerberg told the European Parliament on Tuesday that Facebook would be fully compliant with the regulation by the deadline. A recently closed job listing on LinkedIn and on Facebook (cached version) for a DPO appears to indicate that Facebook has already found the right applicant for the position. According to The Recorder, the new DPO is the company's current chief privacy officer, Stephen Deadman, who will also be acting as the DPO for Instagram and WhatsApp. Facebook has said it plans to extend the controls granted by the GDPR outside the EU, and it recently became possible for users to download their own data on Instagram and WhatsApp.
Dozens of other companies have updated their privacy policies, too, from Cloudflare to Plex to Sonos to Garmin to Disqus (the service Android Police uses for its comment section), with many providing new features for all its users to comply with GDPR requirements.
Ok, what's the TL;DR?
If you're just here to read the headline and leave a comment, you might be missing out. However, if all you want is just a one-sentence summary of how the GDPR will affect you, here it is: the GDPR will impact users even if they aren't in the EU, giving them more rights with regards to their personal data, as well as achieving more transparency on how companies use our data.