As of Friday, 25 May 2018, the European Union (EU) is enforcing compliance with the General Data Protection Regulation (GDPR). The GDPR is the new regulation covering data protection and privacy standards for EU residents. Companies that transfer, process or maintain the data of EU residents must adhere to the new standards regardless of where the company comes into contact with the data. The GDPR replaces the old EU Data Protection Directive which had been the foundation of data privacy laws of EU member states since 1995.
Companies and their vendors that transfer, process or maintain the data of EU residents, including transferees residing in the EU, must be in compliance with the new requirements or face potential fines.
Companies that fail to comply with the GDPR could face fines up to 4% of total global gross revenue or €20 million (currently about $23 million), whichever is greater. The EU Parliament adopted the GDPR on 14 April 2016, giving companies approximately two years to come into compliance with the regulation prior its enforcement.
In the few days since the GDPR has been enforced, complaints over violations have already been filed against several large tech companies including Google and Facebook. The lawsuits were filed by noyb.eu, a privacy advocacy group, stating the companies have violated the new law by forcing users to consent to their new data agreement terms or be denied access. According to noyb.eu, the potential fine for Google could be as much as €3.7 billion and Facebook a maximum of €1.3 billion.
Several companies that have an online presence and not achieved compliance by the 25 May 2018 deadline have blocked access to their websites from devices in EU members states. This includes a number of news organizations such as the Baltimore Sun, Chicago Times, Los Angeles Times and the New York Daily News. Other organizations such as NPR are giving EU residents the choice of agreeing to access the full NPR site which includes the tracking of data or to access a plain text version of the website.
While the GDPR applies to only EU residents, larger companies that handle EU resident data will likely make changes to their data privacy policies for all users as to not have two standards and policies depending on the residency of the individual. Thus, even if you are not an EU resident, it is likely you have received emails lately from companies with an online presence notifying you of their new privacy policies.
For more information and current news on the GDPR, please go to the EU GDPR website. You can also access a recent article on GDPR in the April issue of Mobility Magazine.