What does the European General Data Protection Regulation actually mean for you? Here’s a guide to the GDPR.
The General Data Protection Regulation (GDPR) came into force on May 25, two months after Facebook was embroiled in yet another scandal for having illegally handed off 87 million users’ data to Cambridge Analytica. It updates the European legal framework concerning how companies can collect and process personal data. But what does the text say, and what does it mean for you?
The GDPR was voted on by the European Parliament in 2016. It replaces a directive dating back to 1995 and takes explosions in Big Data and digital advances into consideration. It covers all EU residents and guarantees Internet users and users of connected objects a number of rights regarding the use of their personal data. As most of us now know, personal data is likely to be collected and used by websites, apps and digital services we use on a daily basis, most often for advertising or marketing purposes.
Clear and explicit consent
Your personal data, collected everyday by a number of companies, is far-ranging: IP addresses, photos, first and last names, phone numbers, email addresses, etc. Some of these – principally from social networks, Google searches, mobile apps and connected devices – can be sensitive as they may reveal your political leanings, the state of your health, or your sexual orientation.
But now, the GDPR requires written, clear and explicit consent. Companies likely to use your personal data must ask your permission to do so, “in a way that is understandable, easily accessed, written in clear and simple terms.” Users themselves will now have to check “yes” or “no” boxes and will be able to change their minds, without needing to explain themselves. Additionally, companies are no longer allowed to ask you for data that isn’t strictly necessary to whatever transaction or service they’re engaging in with you. You won’t be required to provide your age or gender to receive a newsletter, for instance.
In any event, don’t be surprised if you receive a flood of emails and notifications over the next few weeks from companies and services notifying you of their updated confidentiality policies in compliance with GDPR. They’ll give you the possibility to regain control of your data by cancelling accounts or unsubscribing from newsletters, among other options.
Right to be forgotten and to portability
The GDPR includes the “right to be forgotten,” which allows you to ask that your personal data be erased from a particular company and all its partners and subcontractors. It also includes the “right to portability,” which allows you to recover your collected data and dispose of it – not in the form of printable (and often unusable) files, but in digital form, in an open format (XML, JSON, CSV). This will allow you to reuse them with other services (apps, social networks, ISP, etc.).
All entities (companies, startups, governments) that handle European citizens’ personal data must conform to the GDPR. This includes non-European companies such as Google, Facebook or Alibaba, for instance, that collect information from French, German or Spanish customers.
In France, your personal data was already protected by the law on computing and freedom and the CNIL (National Commission for computing and freedom), but the GDPR reinforces these. It can be invoked when a non-French company is handling your personal information and it can carry your claim to another data protection agency. It can also impose harsh sanctions on companies located in France that haven’t obtained your explicit consent, such as fining them up to 4% of their worldwide annual sales or 20 million euros. Until now, the fines imposed by the CNIL could not exceed 150 000 euros: derisory sums for giants like Apple or Amazon. It’s one way to “give people power over their data,” says Yaël Cohen-Hadria, a lawyer and data protection specialist.
Right to know your data has been pirated
In 2016, Uber was hacked, along with 57 million users’ data. But the American company VTC waited one year to reveal this fact. To avoid this kind of scandal, GDPR grants users the right to information in case of piracy. Henceforth, in the event of a data leak, the company concerned must immediately inform the various data protection authorities (the CNIL in France) and users. Notifying individuals, however, is not mandatory: if doing so poses an additional risk to the security of the service, it can wait until it has implemented “the appropriate technical protection measures” before announcing the breach.
Under the GDPR, parental consent is mandatory in France for minors under 15 to register with social networks. Elsewhere in Europe, member states are free to determine how old minors can be to sign up without requiring their families’ consent – anywhere between 13 and 16 years old. Companies must verify parental consent.
Internet users defended by associations
Finally, the GDPR allows European Internet users to be defended by consumer associations, as part of a class action suit, to stop illegal data processing. In France, this kind of recourse has already been provided for since 2016, under the modernization of 21st century justice law. The European regulation reinforces this right to class action.
“Privacy by design”
GDPR also requires companies to adopt “privacy by design” – and to make sure their services allow for a minimum collection of personal data by default.
In order to ensure privacy from the design stage, a global standard should soon be created by the International Organization for Standardization. “Assuming that regulatory compliance alone is an insufficient model for the future of privacy protection, ISO is setting up a new committee to develop the guidelines for a standard that will not only be enforced, but also restore consumer confidence at a time when this is needed more than ever,” ISO states.