This May, a sweeping new data protection law will go into effect across Europe that will change the way tech companies do business anywhere on the continent. It’s called the General Data Protection Regulation, and it is designed to unify all the different privacy policies maintained by European Union states into a single set of rules.
In a way, the regulation approved two years ago is a welcome move: hyper-local data protection laws threatened to carve Europe up into a series of data silos, all with different rules, and the complexity of complying with all those laws would have been prohibitively expensive for cloud startups (and big companies) operating in Europe. Still, the GDPR sets strict new expectations for data handling and carries stiff fines for companies that violate those regulations.
If you work with European customer data inside a big tech company, you’ve probably been having Y2K-esque meetings about the May deadline for a while now. But if you’re a smaller company, a startup just getting off the ground with intentions of offering services in Europe, or just interested in the future of data protection laws, here’s what you need to know.
What is the GDPR?
The EU Parliament approved the GDPR in April 2016 after much debate throughout Europe on the best way to handle private data on the internet in the modern era. In a world growing skeptical of tech companies where massive breaches of personal data are commonplace, there is definite interest in setting clear rules for how personal data should be acquired, stored, and disposed of by those companies.
For the purposes of these regulations, “personal data” includes everything from email addresses to credit-card information to medical records. If you have users in Europe, you’re likely subject to these new rules.
So what are the new rules?
The main goal of the GDPR is to set clear expectations for how data should be handled among European Union states (we’ll get to the Brexit train wreck in a bit).
One new rule should get everyone’s attention: companies now have 72 hours to inform European customers of a security breach that could have compromised their personal data, starting from when the company learns of the breach. That’s much faster than a lot of companies are used to operating: it took Equifax several weeks to notify its U.S. customers of a massive security breach earlier this year, and Uber sat on information related to a security breach for over a year.
Another important rule governs “the right to be forgotten,” or the right to demand an internet service remove publicly facing content. Services can weigh that demand against the public’s right to know that information — allowing different treatment for politicians looking to erase damaging information and teenagers who made a mistake — but companies will have to set up a way to consider such requests.
This sounds a bit vague and complicated
It could be! For example, one of the new requirements directs companies to follow a “privacy by design” approach to product development, or thinking about privacy from the first line of code rather than tacking privacy tools on later. It’s not hard to imagine that reasonable people could disagree about what that actually looks like, or that newer, stronger methods for protecting privacy using emerging technologies or techniques could be held back because regulators don’t understand why the new approach is better.
Companies will also have to keep internal records of their data-handling methods, which is commonplace among larger companies used to operating across borders but could present problems for newcomers without clear policies. Some companies whose services “require regular and systematic monitoring of data subjects on a large scale” will also have to designate someone as their “data protection officer,” but it’s not entirely clear what “large scale” means.
However, it’s still better than the alternative, in which all EU member states would have decided to implement their own data protection laws. This was starting to happen prior to the 2014 agreement, and would have made operating cloud services that move data back and forth across national borders — a regular event for users of Amazon Web Services, Microsoft Azure, or Google Cloud Platform data centers in Europe — a very sticky wicket indeed.
What do I do about my users in the U.K.?
Whatever actually results from the turmoil of the Brexit process, the U.K. is considering its own data protection bill that largely conforms to the GDPR, so any change you make to your data handling strategy in line with GDPR requirements should cover you in the U.K. as well.
Will this have any impact on U.S. data protection laws?
It’s hard to imagine new U.S. consumer data protection laws passing in our current political climate, perhaps best described as a once-in-a-lifetime land grab for corporate interests, but the GDPR rules could have a subtle effect on the way U.S. consumer data is handled. Large companies that do significant business in Europe might decide that it’s just easier to lump all their customers into the same bucket using the GDPR rules as a baseline, rather than maintaining separate data-handling policies based on the region in which that user accessed their services.
Furthermore, allowing Europe to test-drive new regulation could help better inform future attempts at data protection laws here in the U.S. There will undoubtedly be technical issues, legal decisions, and bureaucratic inertia that combine to highlight areas in which the GDPR rules need to be tweaked or changed in order to best serve all parties.
Either way, long-term concerns about data protection are certainly not going away. As companies adjust to the requirements of the GDPR, we’ll get a better sense of how those concerns will play out.
(Editor’s note: This post was updated to correct the year in which the GDPR was approved.)