because it was hard to find
and gather information.
But in the digital world,
whether it's digital cameras or satellites
or just what you click on,
we need to have more explicit rules -
not just for governments
but for private companies.
~Bill Gates
Have you noticed the recent barrage of privacy policy emails? Or maybe you've had to click to accept a website's privacy policy before you can login to your email or make an online purchase. Here's a copy of an email I received just last night:
What does the EU have to do with privacy regulations in the United States?
Simply put, not a lot. While some companies have announced that they will have one uniform privacy policy for the entire world, there is no requirement that data collection in the United States abide by the rules of the European Union (EU). In the US, we have laws protecting data privacy for health and financial records, and and for children. That, of course, leaves a lot of unprotected data.
For more information on the GDPR, check these article: 3 Things You Should Know About Europe's Sweeping New Data Privacy Law, and Everything you need to know about a new EU data law that could shake up big US tech.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a directive that was approved in April 2016. European authorities gave companies two years to comply and it came into force on May 25, 2018. It applies to residents of the EU, i.e., anyone living in an EU country, including Americans, is included in the new law. Moreover, all companies that have an Internet presence in the EU, including large American companies (Google, Facebook, Microsoft) are affected by the GDPR.
Under the GDPR, personal data includes what a person posts on social media, electronic medical records, mailing addresses, IP addresses, and GPS locations. The regulation requires permission from individuals to collect their personal data. The company clearly must ask for permission to collect personal data, and for the most personal data, the ask must be even clearer. If an individual does not want a company to keep personal data, then the company must delete the data without delay or face a penalty.
What does the EU have to do with privacy regulations in the United States?
Simply put, not a lot. While some companies have announced that they will have one uniform privacy policy for the entire world, there is no requirement that data collection in the United States abide by the rules of the European Union (EU). In the US, we have laws protecting data privacy for health and financial records, and and for children. That, of course, leaves a lot of unprotected data.
For more information on the GDPR, check these article: 3 Things You Should Know About Europe's Sweeping New Data Privacy Law, and Everything you need to know about a new EU data law that could shake up big US tech.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a directive that was approved in April 2016. European authorities gave companies two years to comply and it came into force on May 25, 2018. It applies to residents of the EU, i.e., anyone living in an EU country, including Americans, is included in the new law. Moreover, all companies that have an Internet presence in the EU, including large American companies (Google, Facebook, Microsoft) are affected by the GDPR.
Under the GDPR, personal data includes what a person posts on social media, electronic medical records, mailing addresses, IP addresses, and GPS locations. The regulation requires permission from individuals to collect their personal data. The company clearly must ask for permission to collect personal data, and for the most personal data, the ask must be even clearer. If an individual does not want a company to keep personal data, then the company must delete the data without delay or face a penalty.
Under GDPR, consumers also has the following rights:
- the right to access the personal data being stored by companies and find out where and for what purpose it is used;
- the right to ask whoever is controlling their data to erase it and potentially stop third parties processing it; and
- the right to take their data and transfer it to a different service provider.
The regulation addresses data breaches, too. Under the GDPR, companies must notify their data protection authority about a data breach within 72 hours of first becoming aware of the breach, and customers must be notified of the breach "without undue delay." For more about the requirements of the GDPR, click GDPR, The Checklist For Compliance.
Companies could face steep penalties for failure to comply--As much as 10 million euros ($12.4 million), or 2% of annual worldwide revenue, which ever is higher. In cases of negligence or violating the conditions of consent and infringing on data subject rights, the fines can go as high as 20 million euros ($24.8 million), or 4 percent of annual worldwide revenue, whichever is higher.
Too Soon to Tell
The law has been in effect for just over two weeks, so its affect on the people it aims to protect and the companies operating in the EU remains to be seen. How much it influences policies in countries not in the EU, such as the United States, is also an open question.
Another unknown is how Brexit will interact with the GDPR. Brexit, England's withdrawal from the EU, is complete on March 29, 2019. Until then, England is subject to the GDPR just as any other EU country. Afterwards, British companies will still have to observe the GDPR for EU residents.
Will the United States ever follow suit and strengthen our privacy laws? Probably not. In the meantime, check GDPR: Why Privacy Is Now Stronger in EU Than U.S. for a discussion on how privacy laws compare.
No comments:
Post a Comment