The EU’s General Data Protection Regulation Nears Activation

On May 25, the European Union will activate its General Data Protection Regulation that gives users more control over the data collected and shared about them over the Internet. The law includes real punishment: 4 percent of its global revenue for any company that break the regulation. The impact to the user experience will not be apparent, especially for U.S. visitors there. But a European Union citizen is likely to see fewer ads that follow them around the Internet after an e-commerce purchase.

The New York Times notes that “the new law requires companies to be transparent about how your data is handled, and to get your permission before starting to use it … [which] raises the legal bar that businesses must clear to target ads based on personal information like your relationship status, job or education, or your use of websites and apps.”

European_Union_Flags

With the new regulation, consumers can ask companies such as banks, grocery stores and retailers “what information they hold about you, and then request that it be deleted.” Any consumer who believes her information is being “misused or collected unnecessarily … can complain to [her] data protection regulator, which must investigate.”

Making such a complaint isn’t simple, as “the law has 11 chapters and 99 sub-articles, and just initiating a case can take as many as 20 steps” says the International Association of Privacy Professionals. But the law allows for “class-action style complaints,” which haven’t been common in Europe. Some privacy groups are already “planning to file cases on behalf of groups of individuals,” with the idea that a couple of wins will “have a ripple effect and lead companies to tighten up how they handle personal data.”

The regulation also forces companies to allow consumers to download their data and move it to another service, including “moving financial information from one bank to another, or transferring Spotify playlists to a rival streaming service.”

Leading up to the law’s activation date, European Union citizens are receiving dozens of privacy policy updates, written in plain language, that allow them to opt-out of their data being collected. Critics are concerned that, due to the “deluge of emails,” users are agreeing to data collection without paying closer attention. European Data Protection supervisor Giovanni Buttarelli criticized the privacy policy emails as duping users into “thinking they have to accept the terms in order to keep using a service, rather than letting people choose what information to share.”

NYT opines that it’s too early to tell if the new regulation will have an impact, and that “the long-term effects of the new law won’t be known for years.” How strictly national regulators enforce the rules is one key factor, as are the data-protection agencies in each European Union country in charge of policing it. That’s a particularly concerning topic for officials in countries such as Ireland, where “Google, Facebook, Microsoft, Twitter and many other data-heavy companies are based.”

Finally, it also depends on the general public and whether “trading privacy for convenience remains a worthwhile deal.”