Photo by TheDigitalArtist
If you’re like many Internet users, in the last few weeks you’ve been inundated with vague, weirdly upbeat notices from companies announcing changes to their terms and privacy policies. Whether they say so or not, most of these updates are to comply with the European Union’s General Data Protection Regulation, or GDPR. The GDPR is a complex policy and regulatory regime that aims to give European citizens “digital rights” over their personal data: who holds it, what they hold, and how it is used.
The GDPR goes into effect on 25 May 2018, and—unlike previous data protection efforts in the EU—it applies uniformly across all EU nations and to any organization anywhere in the world holding or processing the data of EU citizens. That’s a vast swath of the Internet, and, indeed, the entire world economy. Given that the EU typically leads the way on digital consumer privacy, the GDPR will directly or indirectly raise the bar for how companies handle users’ personal data in much of the world.
So how does the GDPR work, and how will it impact you?
In broad terms, the GDPR applies to any EU citizen—data subjects, in the parlance of the regulations—and two broad, overlapping classes of organizations: data controllers and data processors. Data controllers collect and use information, while data processors store, manage, or act upon that information on behalf of data controllers.
Data controllers are everywhere and include any person or organization that collects personal information about EU citizens. Common examples include Internet titans (think Apple, Google, Facebook, Amazon, and Microsoft) and those shadowy “data brokers” that assemble information from public sources and track Internet use. But it also includes governments, public sector agencies, banks, health care providers, and virtually all employers.
Moreover, it covers retailers, restaurants, hotels, venues, and any business with customer records, as well as schools, museums, non-profits, charities, volunteer organizations—even sports leagues. TidBITS has European subscribers and contributors, so TidBITS is a data controller under the GDPR. Maybe you run a mailing list or a site for a hobby: if anyone from the EU is on your list or uses your site, guess what? You are a data controller. Data controllers bear the main responsibility for complying with the GDPR.
Data processors are typically one step removed from individuals: they handle personal information they didn’t collect themselves. Many service providers are data processors—Salesforce, Google Cloud, Microsoft Azure, and Amazon AWS all qualify. If you have a mailing list that you send to the postal service to have addresses standardized and verified, the postal service is a data processor. But the lines get blurred fast: let’s say you have a business that uses a payroll service. Your business would be a data controller, and the payroll service would be a data processor. However, if that payroll service uses data to, say, offer a service comparing salaries to industry averages, they are also a data controller.
Under the GDPR, personal information includes most data related to an identifiable person, regardless of whether that connection is made directly (say by name, government-issued identification, or banking information) or indirectly using factors like physical appearance, location, physiology, online identifiers, or economic, cultural, or social identities.
Email addresses, location data, smartphone device identifiers, and IP addresses—even dynamically assigned IP addresses—are all considered personal data. Technically, that means virtually every Internet site and Internet-connected app is subject to the GDPR once accessed by EU residents, since nearly all log users’ IP addresses by default.
Moreover, data regarding ethnicity, race, genetics, biometric data, health information, sex life, religious/philosophical beliefs, or trade union membership is deemed “sensitive” personal data subject to additional protections. And the GDPR doesn’t just apply to data collected on or after 25 May 2018: all previously collected data is covered as well.
Under the GDPR, there are only six lawful reasons for processing personal data:
- Legal contracts
- Legal requirements
- Vital interests (protecting life)
- Public tasks (public interest or official functions)
- So-called “legitimate interests”
Legitimate interests are a somewhat subjective but seemingly narrow category where processing personal data is the only means to meet an end. Common cases would be businesses working with customers to fulfill orders or provide services. If I want a company to deliver a pizza, they have a legitimate need to know where to take it.
For advertisers, the GDPR leaves consent as the primary legal avenue for processing personal data—and the GDPR substantially raises the bar. Consent must be “freely given, specific, informed, and unambiguous,” and be given via a “clear affirmative action.” Silence, inaction, and scrolling through screens of legalese do not qualify as consent. All those “soft opt-in” pre-checked boxes won’t cut it anymore, and companies must present terms in an “intelligible and easily accessible form, using clear and plain language.”
Data controllers must also specify how personal information is used as part of the consent process, whether it be serving up ads, profiling by matching up with third-party databases, sharing it with partners, or other functions. However, companies won’t necessarily name with whom they’re sharing personal data unless a user makes a specific request.
These new rules are another reason you’re seeing so many privacy and policy updates: companies that have not previously satisfied these requirements must obtain their users’ specific, informed, and unambiguous consent before the GDPR goes into effect. Expect many firms to do a hard sell extolling the benefits of consenting, or—as in the case of Facebook—presenting affirmative consent as the fastest way to get annoying screens out of your way. If users don’t consent, the only option may be to stop using a particular app or service—but the GDPR requires that it must be as easy to withdraw consent as to give it.
Some companies may enable users to consent to some types of data use but not others: maybe an email address is required, but consenting to use of location or photos would be optional. However, many outfits will require all-or-nothing consent because that’s the least amount of work.
What Rights Do Individuals Have?
First off, any data subject—remember, that’s a resident of the European Union—must be able to withdraw their consent to use of personal data as easily as they gave it. Withdrawing consent probably means someone won’t be able to keep using a site, app, or service, but it does mean the company must stop using data if there is no other legal basis to process it (like a legal requirement). For instance, if you pre-order a book from a company and later withdraw consent regarding your personal data, the company can still use your personal info to fulfill your order—assuming you didn’t cancel it—without violating GDPR. Similarly, if the company is subject to a court order to retain personal data for auditing purposes, it isn’t violating GDPR if it keeps data for that audit after consent has been withdrawn.
Subjects also have a right to demand data controllers disclose whether their information is being processed. If it is, individuals have a right to access that data (for free!) along with details of why it’s being processed, who is processing it, and for how long. Generally, controllers must fulfill these requests within one month. Digital rights advocates are expected to make broad use of this right to map out the activities of firms like Facebook, Google, Apple, and Amazon, so companies that make broad use of personal data are gearing up for a torrent of requests once the GDPR goes into effect.
Subjects have the right to have information about them corrected under the GDPR. This right isn’t aimed so much at the Facebooks and Googles of the world as it is at agencies that report on credit, perform background checks, and determine eligibility for things like housing, employment, benefits, and medical care. Individuals have a right not to be subjected to decisions made by automated profiling if they have a significant legal impact on them, such as eligibility for housing or a job.
The GDPR also enshrines a “right to be forgotten,” meaning individuals can request all personal data about them be erased—again, barring any legal reason the controller must keep it. As with access requests, many Internet companies are expecting a flood of deletion demands once the GDPR goes into effect. EU residents unhappy with the likes of Google and Facebook may see deletion requests as a way to get back at them.
The GDPR also has a right to data portability—if subjects don’t like the way a controller is handling their data, they can request it be made available to them or another controller in a “commonly used” machine-readable format. Unfortunately, data portability will be pretty limited in the real world, at least initially. Most companies will be able to dump data to formats like JSON or XML, but it’s unlikely other controllers will be able to make much use of it. The European Commission seems to have intended data portability to apply to social networks, but there aren’t many meaningful ways to (say) transition a Facebook account to Twitter, Pinterest, or LinkedIn.
Data controllers and processors have a number of other specific obligations under the GDPR. Here are some highlights:
- Companies must report data breaches to their nation’s supervisory authority within 72 hours of discovery. If the breach is “high risk”—e.g., could result in identity theft—then impacted individuals must be informed “without undue delay.” This might be a public announcement for a large breach or individualized notifications. Remember when companies like Uber and Yahoo sat on massive data breaches for a year or more? That would violate GDPR.
- Controllers must document users’ consent to use personal data: that’s more than recording a simple yes or no, but more akin to a timestamped record including the version of the forms or screens used to collect it, along with all relevant documents like phone scripts, complete terms of service, and policies. If there is a dispute, controllers have to be able to prove consent was legitimately granted.
- Controllers can retain identifiable personal data “no longer than is necessary,” which is tremendously vague but follows a principle of data minimization and provides legal ammunition if controllers misuse or mishandle data they had no reason to keep. The GDPR encourages anonymization and pseudonymization to protect personal data.
- Controllers whose core activities include personal or sensitive data on a “large scale” must appoint a data protection officer. The GDPR does not define “large scale,” but there are no minimum thresholds. Some EU countries—most notably Germany—have stricter requirements for appointing a data protection officer.
I’m Small-Time: Do I Need to Worry About the GDPR?
Some people who run Internet sites, apps, podcasts, or small businesses—particularly outside Europe—may assume (or hope) that the GDPR will have no real impact on them. That might be true in some cases, but many small online endeavors will have to make some adjustments. Even small businesses are data controllers, and data controllers bear most of the responsibility for complying with the GDPR.
I cannot offer legal advice, and every activity impacted by the GDPR will have different concerns. But here are a few things to consider:
- A purchase or contribution is not consent to marketing or further contact. If an EU resident buys something from your Etsy shop or makes a donation to your podcast, you cannot just add them to your marketing list as an existing customer. Consent to additional contact must be separate, clear, unambiguous, and affirmative. A pre-ticked checkbox on a checkout page won’t cut it.
- If you think you have some magic way of using an IP address, phone number, billing address, or other data to infer whether someone is an EU resident (so you can tell if the GDPR applies to them): you don’t. You would need to ask users directly if they’re EU citizens, and, if not, offer less privacy protection. That may not be a message you want to send. For small shops, applying GDPR protections to everybody is usually the shortest path.
- Only collect necessary information. If you run a mailing list, you have a legitimate need for a subscriber’s email address, but you don’t need their birthday, phone number, location, or even their name. Sure, some of that info is great for personalizing communications, but do you need it? Can it be optional? (And do you think automated personalization is fooling anyone?)
- Be ready to disclose all third-party businesses that process your customers’ information, whether payment processors (like PayPal or Square), shippers (like the USPS and DHL), cloud service providers (like Apple, Amazon, Google, or Microsoft), and many more. Does your site tie in directly with Facebook or Twitter? What about a mailing service like MailChimp or SendGrid? How about advertising networks? Analytics services? Under the GDPR users have a right to ask for this information directly; for many small businesses, it makes sense to include the information up front in privacy policies and terms of service.
- Only keep necessary information. Sure, you want to analyze your sales records to manage seasonal inventory, but you don’t need customers’ personal details to do that. Delete customers’ personal information when you no longer need it for any reasonable business purpose, unless you’re required by law to hang on to it. If you must keep it, anonymize the data (so individuals can’t be identified, even by you) or at least pseudonymize it: if your business records are compromised, there’s less risk to both you and your customers.
- Consider how you will respond to a customer who requests to view all the personal data you have about them. How will you verify this person is who they claim to be? How will you collate the data? How will you (securely!) make it available? Even for small businesses, this can become complicated. And you have only 30 days from when you receive your first request.
- Think about how you will respond to a customer who requests you delete all personal data about them. How will you ensure any data processors you use also delete that data?
- Users must be able to withdraw their consent to use of their data as easily as they gave it. This may mean changing your site or app to make withdrawal of consent easier and more apparent. You may also have to tell data processors to remove that person’s information.
How Will Enforcement Work?
If EU residents believe their personal data is being unlawfully processed or misused, they can file complaints with supervisory authorities in their own countries. If that authority rules against an individual—or simply doesn’t respond to the complaint in 3 months—that person can take the matter to court. Both data controllers and data processors can be liable for any damage caused by their actions. Individual member states are responsible for establishing rules and penalties for infringements.
Failure to comply with the GDPR could be very expensive: fines can be up to 4% of a company’s worldwide revenue or €20 million—whichever is greater. However, such penalties are likely only if companies engage in egregious, willful violations of the GDPR—and would likely only apply after a lengthy court battle and appeals process. Most national authorities won’t expect perfect compliance and will be unlikely to levy heavy penalties if organizations generally try to do the right thing. National authorities will be primarily concerned with large-scale data processors and organizations handling high-risk data.
What about Brexit?
The United Kingdom is leaving the European Union on 20 March 2019, but it won’t be leaving the principles of the GDPR behind. The UK will comply with the GDPR when it takes effect this May, and under the proposed “Great Repeal Bill” the GDPR would be incorporated into UK law after Brexit. UK law will then be amended with a proposed Data Protection Bill, which is unlikely to diverge significantly from the GDPR.
However, Brexit may have some immediate data protection implications, since the UK will no longer be part of the US-EU Privacy Shield (the current framework for exchanging personal data for commercial purposes between the United States and EU) or the US-EU Umbrella Agreement (a framework for law enforcement cooperation). The UK wants its own separate replacements with both the United States and the European Union, but nothing has been agreed upon yet.
Will the GDPR Matter?
Internet users are increasingly aware their personal information can be sensitive, and we live in an era of massive data breaches. In bulk, our data is being leveraged to sow discord and influence elections. At a personal level, its misuse can have many consequences: identify theft, loss of a job, altered credit ratings, higher insurance rates, increased health care costs, and more. And, of course, our personal data is worth very real money to many of the world’s most valuable corporations.
With the GDPR, the United States will drop further behind the European Union in terms of data protection regulation. Soft “opt-ins” and pre-checked boxes are still permissible in the United States. Although there is a limited exception for credit reporting, individuals still have no real right to see data collected about them or have it corrected or forgotten. Although some U.S. states have enacted data breach laws, there is no national requirement that individuals be informed if their data is compromised. And companies can essentially use any personal data they have for whatever they like, for as long as they like.
However, the GDPR will have indirect benefits for Americans and many non-European Internet users—and the evidence is all those notices you’re receiving about new terms and privacy policies. Companies are feeling pressure to extend GDPR benefits to users outside of Europe. While some (like Google) are notably silent, Apple has already announced it is extending GDPR rules to customers in the United States and other markets, including giving users the ability to view and correct information Apple processes. Even Facebook says it will extend the “spirit” of GDPR to users outside Europe, although it won’t extend GDPR protections worldwide.
The GDPR should be viewed as an attempt to bring regulation up to date with the reality of the digital world. It won’t fix everything or solve every problem, but it’s a big reason why momentum is currently shifting toward better data protection, rather than away from it.