What is the GDPR?
The GDPR is a new regulation that grants European citizens more control over their personal data. By personal data the EU is referring to a huge range of information that includes anything from a person’s name, to their cultural identity, health status, ID numbers, IP addresses, and online search history.
The legislation establishes a new set of responsibilities which companies handling the personal data of European citizens must comply with. It makes the rules uniform across nations, identifies national authorities charged with enforcing them, raises the financial penalties for non-compliance, expands the concept of ‘personal data’, and compels companies to notify consumers of a data breach within 72 hours.
Who does GDPR affect?
All companies who manage the data of European citizens must be GDPR compliant. This means that Chinese or American companies must follow the rules when they handle EU citizen data, even if they have no offices in Europe. Facebook and Amazon are among the corporate giants who will be most affected but they have huge legal armies working on compliance. For small and medium-sized enterprises, making sure all the boxes are ticked is much harder.
At the consumer level, GDPR only impact EU residents. One of the most important features of the new law is that it gives ‘data subjects’ the right to demand companies reveal what information is stored about them. People can also ask for it to be deleted, corrected, or given to them in some electronic format. The problem is that data is often stored in multiple servers across different continents.
Why is GDPR happening now?
It is important to remember that the GDPR was passed by the European Parliament in April 2016 and so is not a direct response to recent controversies involving political use of social media. It replaces the 1995 Data Protection Directive and companies were given two years to get prepared.
European leaders considered the update necessary after a series of data breaches and hacks made headlines. Identity theft and the sale of credit card numbers and other data became a cause of huge public concern. Regulators were also keen to get to grips with growing trends in digital marketing as legal experts raised concerns about the legality of third parties using personal data to advertise products.
What does this mean for social media?
Facebook and other social media outfits have updated their privacy policies to comply with the legislation. They will face much greater scrutiny from European regulators, particularly with respect to data harvesting and information stored on users aged under 16.
The idea that social media companies own the photos and profile information posted on their websites is thoroughly rejected by the GDPR. Companies must now have users’ clear permission before receiving their personal data or selling it on to third parties.
GDPR will not, however, have retroactive impact. This means that the 87 million Facebook users who saw their data harvested during the US presidential and Brexit political campaigns during the Cambridge Analytica scandal cannot take legal action under the GDPR. Had the rules been in place before, Facebook would likely have been fined billions of dollars for its complicity in data harvesting.
What do business leaders think?
Business leaders steeped in a strong anti-regulation philosophy are widely opposed to GDPR. PayPal co-founder Peter Thiel has accused the EU of cracking down on Silicon Valley out of ‘jealousy’ because there are no giant tech firms in Europe. Other leaders are more positive and say GDPR has encouraged them to clean up their electronic records.
However, much of the business community remains in the dark about what GDPR means for them. More than half of affected companies are believed to be unsure what steps to take to comply. Some haven’t even heard of GDPR.
Yet the financial costs for non-compliance are huge. Regulators have the ability to fine companies €20 million or up to 4% of their global revenue, whichever is larger. This would amount to $7 billion for Amazon, or $1.6 billion for Facebook and likely cripple most smaller businesses.
Will it work?
This is the billion dollar question. Critics argue the GDPR is an expensive bureaucratic burden placed by EU regulators on businesses which will discourage innovation. There is also concern that in the era of Big Data and Artificial Intelligence the law could hurt Europe’s competitiveness
Optimists believe the GDPR could herald a new era of consumer control by shifting the balance of power away from corporations. In this view the rest of the world will follow the example set by the GDPR to create a harmonised data regime and a new contract between people and companies based on transparency and consent.
An interesting final question is how many people care? A survey of UK consumers found that around half would consider using GDPR to demand Facebook remove old or embarrassing photos from its server. But the general consensus is that people are quite happy for their data to be stored, regardless of legal questions of consent, if it gives them quick and easy access to social media and their favourite products.