Kevin Cunningham, MJLST Staffer
For as long as the commercial web has existed, companies have monetized personal information by mining data. On May 25, however, individuals in the 28 member countries of the European Union will have the ability to opt into the data collection used by so many data companies. The General Data Protection Regulation (GDPR), agreed upon by the European Parliament and Council in April 2016, will replace Data Protection Directive 95/46/ec as the primary law regulating how companies protect personal data of individuals in the European Union. The requirements of the new GDPR aim to create more consistent protection of consumer and personal data across the European Union.
Publishers, banks, universities, data and technology companies, ad-tech companies, devices, and applications operating in the European Union will have to comply with the privacy and data protection requirements of the GDPR or be subject to heavy fines (up to four (4) percent of annual global revenue) and penalties. Some of the requirements include: requiring consent of subjects for data processing; anonymizing collected data to protect privacy; providing data breach notifications within 72 hours of the occurrence; safely handling the transfer of data across borders; requiring certain companies to appoint a data protection officer to oversee compliance of the Regulation. Likewise, the European Commission posted on its website that a social network platform will have to adhere to user requests to delete photos and inform search engines and other websites that used the photos that the images should be removed. This baseline set of standards for companies handling data in the EU will better protect the processing and movement of personal data.
Companies will have to be clear and concise about the collection and use of personally identifiable information such as name, home address, data location, or IP address. Consumers will have the right to access data that companies store about the individuals, as well as the right to correct false or inaccurate information. Moreover, the GDPR imposes stricter conditions applying to the collection of ‘sensitive data’ such as race, political affiliation, sexual orientation, and religion. The GDPR will still allow businesses to process personally identifiable information without consumer consent for legitimate business interests which include direct marketing through mail, email, or online ads. Still, companies will have to account
The change to European law could have global ramifications. Any company that markets goods or service to EU residents will be subject to the GDPR. Many of the giant tech companies that collect data, such as Google and Facebook, look to keep uniform systems and have either revamped or announced a change to privacy settings to be more user-friendly.