Welcome to the Era of the General Data Protection Regulation

By: Matthew Hooker, Summer Blogger

https://pixabay.com/en/europe-gdpr-data-privacy-3220208/

On May 25, 2018, the General Data Protection Regulation (GDPR) went into effect. Although the GDPR is a regulation established by the European Union (EU), its impact extends far beyond the EU. The regulation applies not only to entities within the EU but also to any entity that handles the personal data of “data subjects” residing in the EU. As the New York Times puts it, “the borderless nature of the online world has virtually every commercial entity that touches the web making changes to its sites and apps to comply.”

The primary effect of the GDPR is that it grants people greater control over, and knowledge about, their private data. Under the regulation, companies must get a person’s consent to collect his or her personal data. This is why most consumers have begun receiving large numbers of emails from various websites informing them of updates to their privacy policies. Many companies are sending those emails to ask for that required consent. Additionally, the GDPR mandates that people should only have to share data that is necessary for the service to function properly. The GDPR also enables consumers to take meaningful action regarding personal data that a company has already collected. For example, under the regulation, a person can ask a company what information that company has stored about him or her and then ask the company to delete that information, send the consumer a copy, or correct an error in the information. Another benefit of the GDPR is that it requires entities to notify the proper supervising authorities of a data breach within seventy-two hours of becoming aware of the breach. Further, if there is a large chance that the breach creates a high risk to the data subject, then the entity must inform the data subject of the breach as well.

Not only does the GDPR increase a user’s control over his or her private data, but the regulation also has teeth to enforce those standards. If an entity fails to comply with the regulation, it can be heavily fined. For serious violations, a company can be fined up to four percent of its total global revenue or up to €20 million, whichever is larger. A fine like this could be about $1.6 billion for Facebook. Moreover, if a company fails to maintain its records or does not notify the authorities and affected data subjects of a breach, it can be fined up to two percent of its total global revenue.

Although the large volume of notices regarding privacy policy changes can be overwhelming, consumers should pay close attention to those emails. According to the European Commission, a request for consent must be “presented in a clear and concise way, using language that is easy to understand, and be clearly distinguishable from other pieces of information such as terms and conditions.” Many companies are using those notification emails to also ask for the requisite consent from the consumer to use his or her data under the GDPR. Other websites are using banners, pop-up notifications, and other similar devices to request consent. Consumers should carefully read those notification emails, pop-ups, etc. to identify whether they are being asked for their consent and if so, what the company will deem to constitute their consent. For instance, Quora, a popular question-and-answer site, sent out a notification email about updates to its privacy policy, and then added a brief line at the end that “your continued use of the service will be considered acceptance of our updated terms.” If consumers are not careful, they may find themselves consenting to data collection without being fully aware they are actually doing so.

The European Commission currently provides a helpful resource on what a proper consent request should contain. Giovanni Buttarelli, the European Data Protection Supervisor, has criticized how some large companies have purported to meet the consent requirement, pointing out that some requests appear to attempt to “blackmail” users into either accepting the new terms or losing access to the platform. While companies claim to be complying with the GDPR’s consent requirements, he has suggested that some companies’ practices may violate the “spirit” of the regulation. What is left to be seen is how strictly the GDPR will be enforced and what types of penalties will actually be imposed on violators.

Matthew Hooker is a second-year law student at Wake Forest University School of Law and a member of the Transactional Law Competition Board. He holds a Bachelor of Arts in Communications from Thomas Edison State University and is a native of Gaithersburg, Maryland.