A new framework for consumer data protection goes into effect in Europe. The European General Data Protection Regulation—better known by its acronym, GDPR—sets a new standard for data collection, storage, and usage among all companies that operate in Europe. It will change how companies handle consumer privacy, and will give people new rights to access and control their own data on the internet.
That is, if you live in Europe. On its face, GDPR only affects the European Union, meaning the rights outlined within it don’t translate to other countries. (The UK will get similar rules, despite Brexit.) People in the United States aren’t entitled to the same rights or protections—but that doesn’t mean people outside of the EU should ignore GDPR completely. There will be some residual benefits for them, and understanding how the law changes data privacy for Europeans could throw into focus the digital rights people still lack elsewhere.
What Is GDPR?
GDPR is a series of laws spelling out the digital rights for citizens of the European Union. It builds on an earlier policy, called the Data Protection Directive, which Europe adopted in 1995. Many of the ideas outlined in GDPR came from the earlier regulation, and an even older set of principles called the Fair Information Practices, which covers the ways consumer information should be used. Those practices have also shaped policies in the United States, though the outcomes have differed. The United States has historically regulated privacy in context, with piecemeal laws for the privacy of healthcare records, financial documents, and federal communications. There’s nothing analogous to GDPR in the United States, and likely won’t be any time soon.
In Europe, though, GDPR represents one of the most robust data privacy laws in the world. It also gives people the right to ask companies how their personal data is collected and stored, how it’s being used, and request that personal data be deleted. It also requires that companies clearly explain how your data is stored and used, and get your consent before collecting it. “Personal data,” in this case, refers to things like a person’s name, email, and IP address, but also pseudonymized information that could be traced back to them. People can also object to personal data being used for certain purposes, like direct marketing. If you buy a pair of shoes through an online retailer and start seeing ads for similar shoes, you should be able to ask the retailer to stop using your personal data for direct marketing purposes. Under GDPR, those and other rights are guaranteed.
European citizens are granted these rights by law, but some companies may also give them to people elsewhere. “Some companies may realize it’s better to just extend GDPR protections to all their customers, period, rather than one one policy for European citizens and one policy for the rest of the world,” says Richard Forno, a cyber security researcher and the Assistant Director of UMBC’s Center for Cybersecurity. Microsoft, for example, announced that it would give all users control of their data under the new EU rules, including a privacy dashboard that lets any user manage their personal information. Other companies, like Facebook, are changing their privacy settings and tools for all users globally—but not giving all users the same rights to their data as EU users.
It remains to be seen how much the rest of the world will benefit from GDPR rules, but there are likely “some rights that companies couldn’t contain to Europeans even if they tried,” says Yana Welinder, a fellow at the Center for Internet and Society at Stanford Law School. “For example, companies will now have to notify a European agency if they had a personal data breach within 72 hours of a breach. If the breach exposes users to high risk, the company also needs to notify users directly.” Those kinds of rules could have spillover benefits to people outside of Europe, and could similarly influence how companies conduct business regardless of the country.
What You Can Do
If you live in Europe, a good first step would be to familiarize yourself with the European Commission’s list of rights provided under GDPR. You’ll find step-by-step guides for things like asking a company what kind of data it’s collected about you, requesting that it stop processing that data, or delete that data altogether. It also shows you how to file a complaint if your personal data is leaked, and what to do about personal data collected about children.
Sounds easy, right? It’s not. Companies have had years to prepare for GDPR to go into effect, but most are still lagging on introducing the tools for users to exercise these new rights. “Companies are still struggling to provide the tools to help users,” says Woodrow Hartzog, a law and computer science researcher at Northeastern University and the author of Privacy’s Blueprint: The Battle to Control the Design of New Technologies. “It’s not as though the day after the GDPR comes into effect, all of our privacy problems are going to magically go away.”
One thing you can do right away: Start asking companies for the personal data they’ve collected about you. If you live in Europe, you’ll be able to demand much more than if you live in the United States. To see that in practice, the New York Times ran a great experiment to show the differences in data transparency between the two continents.
But the Emails!
Don’t have time to read through all the emails? That’s perfectly fine. “Generally speaking, I don’t think consumers—even if they wanted to—have the ability to meaningfully engage with this flood of emails,” says Hertzog. “Even if individual companies perfected these kinds of notices, users still have to deal with the onslaught of thousands of notices. The aggregate will crush us.”
“Realistically, most privacy policies will still not be human readable and will be hiding the needles in a haystack of legalese,” says Welinder. But the policies could point to new privacy toggles, or ways to prevent companies from processing and sharing your personal data. Those might be worth exploring, if only by quickly searching for key terms. Hertzog also says it’s “one area where we might see some meaningful gains for users seeking to take charge of their digital lives—even though in the aggregate, there’s relatively little they can do.”
For non-EU citizens looking for other ways to take control of their personal data, Hertzog suggests one more method: Vote for the laws and lawmakers in your country that share your view of privacy. The United States may never have a policy that rivals GDPR, but a number of new proposals suggest that American legislators are thinking about data privacy in new ways. Engaging with those ideas can be more powerful than anything else.