You may have noticed a stream of emails last week from companies like Twitter, Google, or Spotify, notifying you of updates to data privacy policies. That's because U.S. companies are flocking to comply with a new data protection regulation that went into effect May 25.
The General Data Protection Regulation (GDPR), developed by the European Commission, mandates that European Union-based companies and organizations that hold data on EU citizens take steps toward protecting consumer data, and communicate with customers about their legal data privacy rights. The new framework applies to organizations in all EU member states and has implications for businesses and individuals globally.
GDPR requires that companies that collect personal data do so in a safe and transparent way. These companies will be required to protect data from misuse or theft and respect the rights of "data owners" as outlined by the law.
U.S. companies that collect information or deliver services to EU citizens – whether they know it or not – should take note, local experts say.
“If you are marketing a service that’s going to be relevant to anyone in the world, and you want anyone in the world to buy your product, then you’re moving under the purview of the GDPR,” said Debra Innocenti, partner at San Antonio law firm Innocenti Jones, who specializes in business, internet, and technology law.
U.S.-based software, web publishing, e-commerce, travel, or hospitality companies for example, may need to review their marketing practices and make adjustments. Any company that has web content and an EU following may be impacted by the law.
"We’re now in a global economy because of technology," Innocenti said. "If you have an e-commerce storefront, you could sell your product to anybody ... which means that you’ve got to comply with the most restrictive law globally in terms of privacy.
“But the lion's share of the people [in San Antonio] that are asking me these questions are not subject to the GDPR,” she added.
If the GDPR sounds broad, that's because it is. The law is considered a first stab at responding to an epidemic of data breaches in recent years, holding companies and organizations accountable for the protection of consumer data.
Over the last decade, some of the largest data breaches have mostly reached mainstream media cycles such as Equifax in 2017, Uber in 2016, and Yahoo in 2013, but thousands of data breaches go unreported according to the online database Vigilante, which tracks data breaches. Vigilante estimates there have been more than 4,000 data breaches that compromised millions of users' data since 2003.
Under the GDPR, in the event of a breach, affected EU citizens have the right to be notified. Additionally, the law changes the way companies communicate with the public about the use of personal data.
EU citizens have additional rights under the law, including the right to request that companies remove their personal data from corporate databases, the right to demand a copy of their private data held by a company, and the right to receive notice of any processing of their personal data.
There may be spillover effects for American consumers if U.S. companies find it easier to offer protections across the board, rather than change privacy protections for different users based on their geographic location, Innocenti said.
“The laws that exist in the United States are a patchwork and they are divided up according to industry,” she said. The Health Insurance Portability and Accountability Act (HIPAA) governs healthcare information, and financial data is protected under the Gramm-Leach-Bliley Act, for example.
For now, Innocenti says no U.S. federal law that protects data privacy in general iscomparable to the GDPR.
“There’s going to have to be federal law in the form of a statute, because there is not a constitutional basis to argue for informational privacy in the United States,” she said.
Meanwhile, compliance with the GDPR may come at a significant expense for some U.S.-based companies. According to a recent PwC survey, 77 percent of U.S.-based multinational companies say they expect to invest more than $1 million to comply with the law – and the stakes are high for non-compliance. The law can fine companies up to 4 percent of their global annual revenue for noncompliance.
Some companies have opted to forgo their EU customers rather than comply with the new law. The Los Angeles Times and Chicago Tribune have blocked European audiences from accessing their content online in response to the GDPR.
Never seen this before. GDPR means I can’t see Chicago Tribune in the UK?! pic.twitter.com/pkfJGcyJmU
— Chris Leonard (@hooHar) May 31, 2018
— Andres Guadamuz (@technollama) May 25, 2018
International law firm White & Case tells companies to focus compliance activities in the areas of highest risk, like the large scale processing of sensitive data. Companies are advised by the firm to start with an impact assessment to determine ways to reduce their risk of non-compliance.
Still, there is no quick fix for companies seeking to comply with the new law, Innocenti says.
"These things take time."