You are free to share this article under the Attribution 4.0 International license.
UniversityThe effects of the European Union’s sweeping new data privacy laws, set for implementation in May, won’t be limited to Europe, argues Albert Gidari, director of privacy at the Center for Internet & Society at Stanford Law School.
“…you should be seeing new privacy policies, terms of use, and consent mechanisms right now as you log in to your services…”
Known as the General Data Protection Regulation, these laws will restrict how tech companies collect, store, and use personal data from people across the EU—as well as require companies to clearly explain how they plan to use personal information.
Here, Gidari explains the new regulations and how they might affect American users:
What will these new laws actually do for personal privacy? Do you expect the EU regulations to improve privacy for everyone, not just Europeans?
The GDPR applies to the personal data of EU residents, so theoretically the changes in EU law would not provide greater protections for residents of the rest of the world. But, the GDPR applies extraterritorially to those companies that process the personal data of any EU resident so the practical effect of the law is to force platforms and Internet companies around the globe to comply with GDPR requirements everywhere.
The alternative would be for companies to create two separate systems and infrastructure to separate EU data, which simply isn’t practical in an interconnected world. That means people everywhere will see increased transparency about what data is collected, how it is used, to whom it is disclosed, and have the ability to limit all of the above.
Even though the compliance date is around the corner, we are still waiting to see how the GDPR will be implemented in each country so people should look at this as a process that will take time. But because the fines are so great under the GDPR (up to 4 percent of global revenue), companies have had to anticipate compliance in many areas to be ready.
Facebook rolled out a new consent form for targeted advertising and more. It was introduced globally, rather than just in Europe.
Yes—you should be seeing new privacy policies, terms of use, and consent mechanisms right now as you log in to your services, setting out the changes in existing terms as companies prepare for the implementation date.
Do these new laws go too far, or not far enough, in regulating the personal privacy of users?
Whether the GDPR goes too far or not far enough in protecting privacy depends a lot on who is answering the question.
Certainly, companies have had to invest a small fortune in changing systems to meet requirements. For example, Google has hired hundreds of people to review requests for erasure, known as the right to be forgotten. Perhaps large companies can afford the compliance costs, but startups complain that these changes are bad for innovation.
Individuals largely have welcomed the changes, particularly the increased transparency and the right to see what data has been collected and to whom it has been disclosed, and to withhold consent yet still receive the service. There is no doubt that GDPR increases the protections for individual privacy, but at what cost remains to be seen.
Lastly, the GDPR creates momentum throughout the rest of the world for increased privacy regulation because cross-border data flows will be affected if the receiving country lacks adequate privacy protections. So we will see a global increase in privacy regulation as a result.
Will GDPR laws hit Google and Facebook targeted digital marketing revenues?
