GDPR, or Why Privacy Will Be Stronger in EU Than U.S.: QuickTake

(Bloomberg) -- The European Union is introducing tougher rules for how data collectors gather and use its citizens’ information and let consumers control their own data. Starting May 25, all 28 EU nations will be applying the General Data Protection Regulation, which sets new standards for any holder of sensitive data, from Amazon to local government councils. These rules will apply to any company that collects the personal data of EU residents. Plenty of firms are scrambling to make sure they’ll be able to comply even as some privacy experts are pressing for similar rules in the U.S.

1. What will the GDPR do?

Companies will have to post clear notices for users and get their “unambiguous” consent to collect data, instead of burying an OK inside fine print and legal jargon. That means the EU will no longer tolerate the confusing “terms and conditions” that must be agreed to while signing up for a fitness tracking app or ordering groceries online. It will be as easy for consumers to opt out of giving consent as to opt in, and they’ll have the right to refuse that their data be used for direct marketing purposes. Consumers will have the right to retrieve their data and give (or sell) it to another business. Collection of data on children under the age of 16 will be banned without parental approval.

2. What types of data are we talking about?

Anything the EU has determined to be “personal data.” If the data is sensitive in nature and can be linked to a person, it falls under this umbrella of protection. This includes credit card numbers, travel records, religious affiliations, web search results, biometric data from wearable fitness monitors, and internet (IP) and personal computer addresses. It doesn’t include news articles, legal actions or public records.

3. Who must follow these rules?

Any entity “processing” personal data by collecting it, storing it or disseminating it. This means it’s not just social networking sites, search engines and big online retailers. The rules also apply to information collected by schools, chat rooms, property management companies and even Scout groups.

4. What’s this going to cost firms?

A survey of Fortune 500 firms shows they are, on average, setting aside $1 million for the added technology costs. Just over a third of those polled are budgeting $501,000 to $1 million for new permanent staff. Firms listed in the FTSE 350 see technology putting them out 430,000 pounds ($600,000) and staffing another 201,000 to 400,000 pounds.

5. What will they need to do to comply?

Firms and organizations with more than 250 employees will have to hire a data protection officer, who will be responsible for making sure the rules are followed through employee training and compliance audits. If a firm is smaller than 250 but is collecting large quantities of sensitive data, it will also need a DPO. If there’s a data breach, electronic data collectors will have to notify authorities within 72 hours and will have to alert customers in a timely manner if the breach poses a risk to them. So situations like Uber’s attempts to cover up of its 2016 data hack, or the slow release of information on Yahoo’s massive breach in 2013 will now be punishable with huge fines.

6. What’s the penalty for non-compliance?

Fines of up to $12.4 million (10 million euros), or 2 percent of annual worldwide revenue, whichever is higher. In cases of negligence or violating the conditions of consent and infringing on data subject rights, the fines can go as high as $24.8 million, or 4 percent of annual worldwide revenue, whichever is higher. If Google violated the rules, for example, fines could be more than $4 billion since its parent company, Alphabet, had more than $110 billion in revenue in 2017. In worst-case scenarios, the people responsible could face prison sentences. But it’s likely that any legal action taken against deep-pocketed web service companies would be fought in the courts for years.

7. How will life change for consumers?

They’ll have free access to the data that’s been collected on them and more information on how it’s being used. Data will be destroyed when it is no longer needed for the original task. To request access to their data, consumers will contact the data controller or controllers, whose contact info must be provided to consumers whenever information is collected. And because consumers will own their data, eventually they may be able to trade things like gift certificates from Zara in exchange for their shopping histories with J. Crew.

8. What data can consumers get removed?

Through the “right to be forgotten,” citizens can force organizations to erase information that was illegally gained, or no longer holds true. Data that serves no current purpose, or has been used for direct marketing, could also be on the chopping block. In some cases, consumers who don’t give permission for websites to use their information may not be allowed to post on social media or consumer review sites.

9. What happens to sites already collecting personal data?

They’ll need to make sure that the data they’ve collected adheres to new protocols. If they didn’t originally ask permission in a clear way to collect the information, or they didn’t let the subject choose whether to share it, they’ll need to ask again. The risk is that consumers will withdraw their consent, wiping out databases full of information. One company that could take a hit is Facebook, which hoped to combat slower growth in European users with added revenue from more tailored ads. But it’s not all bad news. “This is a chance for a lot of sectors to let customers know they are doing a good job protecting data,” said Bloomberg Intelligence analyst Tamlin Bason. He also pointed to potential winners: the large cloud companies that have the resources to become compliant before GDPR goes live. “That will help sell their data protective services.”

The Reference Shelf

©2018 Bloomberg L.P.