The EU’s new online privacy laws – some of the toughest in the world and a decade in the making – go into effect at the end of the week, May 25. The laws, called the General Data Protection Regulation (GDPR), are intended to give internet users more control over their own information and cover almost anything that can be linked to an individual: addresses, credit card numbers, travel records, religion, web search history, computer ID codes, biometric data, etc. They also enshrine the “right to be forgotten” into European law, meaning people can ask companies to remove certain online data about themselves.
To enforce its sweeping privacy regulations, the GDPR will fine companies up to four percent of a firm’s global revenue – or €20 million, whichever is greater – for any violations. Facebook, which has been recently implicated in privacy scandals in the EU – including the Cambridge Analytica scandal in which the company mined millions of Facebook accounts without users’ consent – would be subject to a fine of up to €1.3 billion if any cases are brought up against the company post-implementation of the new law.
Big tech companies, like Facebook and Google, are therefore taking massive measures in order to comply with the new regulation, lest they be shut out of the EU’s market of 500 million affluent consumers. In January, Facebook rolled out a new global data privacy center. Google has redesigned many consent agreements and changed underlying technology to make it easier to remove consumers’ data. Consulting firm Ernst & Young has estimated the world’s 500 biggest corporations are on track to spend $7.8 billion (€6.5 billion) to comply with GDPR.
But it’s not just the big tech players with offices in EU countries that will be affected. The GDPR stipulates its jurisdiction “applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.” That means if a small tech company focused on healthcare, for example, is collecting information about a resident in France, even if the company has no offices in France (or the EU writ large, for that matter) it must still follow the GDPR rules, provided that France has the proper legislation to enforce this. (GDPR implementation is left up to the national governments.)
In France, a draft amendment to the existing French Data Protection Act has made clear that GDPR rules apply to the processing of personal data of individuals residing in France, even if the controller is not established in the country. The French Data Protection Authority will be able to issue an injunction with a daily fine of up to €100,000 for violations. The amendment was adopted in a reading by the National Assembly on April 12, but has yet to be put into law.
As EU countries continue to revise their own laws to comply with GDPR, other nations around the world are taking notice and rethinking their own regulations, as the EU is linking potential free-trade agreements with demands that other countries adopt the bloc’s privacy standards through so-called “adequacy decisions.” Israel and New Zealand are among a handful of international partners that have made agreements with the EU confirming their data protection laws are equal to those of the bloc, while both South Korea and Japan are waiting for their adequacy decisions after implementing a free-trade agreement with the EU in late 2015 and late 2017, respectively.
While the United States is confirmed as providing adequate protection, limited to the EU-U.S. Privacy Shield framework, and while billions of euros of trade flow across the Atlantic every year, the U.S. has long opposed doing data protection the EU way. Since the mid-1990s, EU policymakers have brought to fruition a number of data protection rules that have become the de facto global standards for most countries – with the notable exceptions of China, Russia, and the United States. U.S. policymakers argue that American data protection standards, as laid out in the constitution and enforced by the Federal Trade Commission, do more to guard against misuse than European standards.
Still, in 2015, Europe’s highest court invalidated a 15-year-old data transfer agreement between the EU and the U.S. after judges ruled that U.S. authorities did not fully protect EU citizens’ data when transferred across the Atlantic. This, along with the new online privacy rules starting on May 25, is a stark reminder that Europe serves as the world’s privacy police officer.