It was May 25th, 2018, and the sun was certainly shining in many of the (then) 28 European Union member states. In the offices of many companies in (and often also outside) the EU, this was a day of chaos.
In the run-up to that day, the companies had sent out countless emails to their clients and customers, asking them for consent with receiving their newsletters, something they had never really asked for prior to this day. At the same time, many businesses without dedicated personnel had been trying to figure out what kinds of data they actually held on their customers and how to organise and safeguard it going forward.
But what was this landmark event?
On that day, the General Data Protection Regulation, or GDPR, came into effect, dramatically changing everyone’s mindset on the use of personal data by both EU- and non-EU-based companies that collect, process, and store the data of EU citizens.
Four years on, consumers in Europe already expect companies to comply with this regulation when clicking the “Accept” or “Agree” button on their sites’ terms and conditions (which, let’s face it, hardly anyone ever reads), as well as assume that regulatory authorities monitor the application of the regulation.
So, what were the main changes?
Before GDPR, no one could really know what kinds of customer data companies were holding. Was Facebook just keeping our name and phone number or email? Was Google keeping a record of our searches? What does Netflix know about us from the content we watch? And how were these companies using this knowledge?
- To answer these questions, GDPR is applicable to a wide array of data collected:
- Basic identity information – name, address and ID number, religious beliefs, political affiliation, racial or ethnic origin, sexual orientation.
- Health data – health conditions, blood tests, COVID-19 vaccines, etc.
- Communications: geolocation, IP addresses, web history, phone calls and texts.
- Other data such as bank details, shopping data and app usage.
- Companies need to respect citizens’ eight rights:
- The right to be informed that their data is being collected and used, for how long and how it will be shared. The information must be given in simple and accessible language.
- The right to access all data processed by a company as well as the reason that data is being collected or from what source it was acquired.
- The right of rectification in case any piece of data is incomplete or wrong.
- The right to be forgotten can be requested if at any moment someone withdraws the consent given to a company to hold that data if the data is no longer necessary or if it was unlawfully processed.
- The right to restrict processing as an alternative to the erasure of data. Users can simply request that their data is not used for some purposes. For example, one can give consent to use data for content personalization within a streaming platform, but not in marketing campaigns.
- The right to object to processing further data.
- The right to data portability. If the user wants to access their data collected by a company and hand it to another company, the bottom line is: Your data is yours. You can take it wherever you want.
- The right not to be subject to profiling based on a set of data with characteristics that might define behaviors, beliefs, or other information.
- It has a global impact
One would guess this regulation was a drastic change just for EU-based companies, but its effects go much further. GDPR is applicable to all businesses that offer goods or services in the EU or that process the data of any citizen in the EU. By the same token, EU citizens’ data can only be exported to (and used by) countries with similar privacy regulations.
Being one of the three largest economies in the world, the EU drives investment from all corners, setting GDPR as a minimum standard requirement to operate in any of the 27 member states. It is not surprising that all over the world, data protection regulators have been adopting national legislation in an effort to harmonize the set of rules companies should comply with.
This is the case in Canada, Argentina, Brazil, Uruguay, Japan, New Zealand and, more recently, South Korea. In fact, Canada’s PIPEDA has been in place since 2001, having lent much of its spirit to the EU law regarding establishing accountability as a fundamental legislative principle, but with one essential difference: Contrary to the Canadian law, GDPR applies not only to commercial actors, but also to government entities.
In the US, however, the landscape is somewhat more diverse. On a federal level, different laws regulate targeted areas, such as HIPAA for health, FCRA for credit ratings, FERPA concerning education, GLBA for loans and investment data, ECPA on monitoring communications, COPPA limiting the processing of data belonging to children under 13, VPPA for VHS rental records or the FTC Act that makes sure companies comply with their own privacy rules. Only five states have adopted comprehensive privacy laws that are either in effect or will become effective next year: California (CCPA and its upcoming ‘update’ known by the acronym CPRA), Colorado (ColoPa), Virginia (VCDPA), Connecticut (CTDPA), and Utah (UCPA).
- If there’s a data breach, it must be reported no later than 72 hours after discovery
One of the biggest novelties introduced by GDPR was the obligation for companies to report a data breach within just three days after becoming aware of it. In comparison, up until now, the US’s strictest timeline for reporting breaches was 30 days.
This requirement prompted companies to have proactive plans to address data breaches, contrary to the temptation to take just too long to do it and try to avoid a PR crisis. In a time when such incidents are commonplace, citizens need to know that their data might be compromised so they can take action.
- If some of these rules are not applied, there are fines
It is certainly not just empty words with no meaningful consequences. GDPR is being enforced and as of May 23rd, 2022, GDPR violations have resulted in 1,093 fines worth a total of €1.63 billion (US$1.74 billion) And arguably the biggest “actions” have been news around the world, impacting the work of Big Tech.
In 2021, Amazon was fined €746 million (US$865 million), the largest amount so far, for targeted advertising without sufficient consent. The case against Amazon was taken by the Lux officials, where the company seats, after the French organization La Quadrature du Net made the complaint on behalf of 10.000 people who signed its petition. Also in 2021, Google was slapped with a fine of €90 million (US$102 million) for not providing residents in France an easy option to refuse the use of cookies. (Cookies are partly regulated through the ePrivacy Directive, but GDPR applies because it governs how data consent is managed.) Google Ireland and Facebook were given similar fines for the same reason.
Other well-known companies such as clothes brand H&M, the British Airways and even the Dutch Tax and Customs Administration have been fined and had to adapt their data protection mechanisms.
You are in control of your data
This is one of the most common messages sent out by many companies these days. These statements both make you feel empowered and show companies comply with data and privacy rules.
GDPR was certainly an important first step toward ensuring our data is secure. But the mere existence of this regulation should not make us stop questioning why this data collection is needed. Why do companies need to know so much about what we do, where we go or how we dress? And what alternatives are there when we don’t consent to the use of a specific part of our data? Can we find alternative services?
Moreover, if so many services and apps don’t mind giving us access to them for free in exchange for our details, then what is the real value of our data that can exceed revenues based on subscription fees?
This is certainly a conversation we will all need to have sooner rather than later.
Discussion about this post