On May 25, 2018, the General Data Protection Regulation (GDPR) went into effect. Although the GDPR is a regulation established by the European Union (EU), its impact extends far beyond the EU. The regulation applies not only to entities within the EU but also to any entity that handles the personal data of “data subjects” residing in the EU. As the New York Times puts it, “the borderless nature of the online world has virtually every commercial entity that touches the web making changes to its sites and apps to comply.”
The primary effect of the GDPR is that it grants people greater control over, and knowledge about, their private data. Under the regulation, companies must get a person’s consent to collect his or her personal data. This is why most consumers have begun receiving large numbers of emails from various websites informing them of updates to their privacy policies. Many companies are sending those emails to ask for that required consent. Additionally, the GDPR mandates that people should only have to share data that is necessary for the service to function properly. The GDPR also enables consumers to take meaningful action regarding personal data that a company has already collected. For example, under the regulation, a person can ask a company what information that company has stored about him or her and then ask the company to delete that information, send the consumer a copy, or correct an error in the information. Another benefit of the GDPR is that it requires entities to notify the proper supervising authorities of a data breach within seventy-two hours of becoming aware of the breach. Further, if there is a large chance that the breach creates a high risk to the data subject, then the entity must inform the data subject of the breach as well.
Not only does the GDPR increase a user’s control over his or her private data, but the regulation also has teeth to enforce those standards. If an entity fails to comply with the regulation, it can be heavily fined. For serious violations, a company can be fined up to four percent of its total global revenue or up to €20 million, whichever is larger. A fine like this could be about $1.6 billion for Facebook. Moreover, if a company fails to maintain its records or does not notify the authorities and affected data subjects of a breach, it can be fined up to two percent of its total global revenue.
The European Commission currently provides a helpful resource on what a proper consent request should contain. Giovanni Buttarelli, the European Data Protection Supervisor, has criticized how some large companies have purported to meet the consent requirement, pointing out that some requests appear to attempt to “blackmail” users into either accepting the new terms or losing access to the platform. While companies claim to be complying with the GDPR’s consent requirements, he has suggested that some companies’ practices may violate the “spirit” of the regulation. What is left to be seen is how strictly the GDPR will be enforced and what types of penalties will actually be imposed on violators.
Matthew Hooker is a second-year law student at Wake Forest University School of Law and a member of the Transactional Law Competition Board. He holds a Bachelor of Arts in Communications from Thomas Edison State University and is a native of Gaithersburg, Maryland.