The General Data Protection Regulation: What it says, what it means
The European Union is about to roll out the most far-reaching overhaul of data protection rules in a generation — the General Data Protection Regulation (GDPR).
The reform has prompted an explosion of tech lobbying in Brussels and in European capitals.
Silicon Valley giants have expanded their presence across the Continent, partly in response to the new privacy rules.
And for lawyers, the GDPR’s gestation period has amounted to a cash bonanza. Legal professionals refer to the 88-page law as the “gift that keeps on giving” due to the rich stream of billable hours and contractual work that come with it.
But despite its global consequences, few people outside the public policy sphere know what the GDPR is really about, and how it will impact their companies and lives.
POLITICO is here to help.
Here’s a guide to the law, breaking down “what it says” and “what it means.”
Right to be forgotten
What the text says: Officially called “the right to erasure,” the GDPR says “the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.” (Article 17)
What it means: Those embarrassing pictures from years ago could finally disappear. Europeans can ask companies to tell them everything they know about them, and delete it all. Businesses will have to set up their datasets in ways that they can trace and delete all the data they have on someone — a challenging engineering task for some.
The right to be forgotten is not entirely new. It goes back to a 2014 lawsuit in Spain by someone who complained that Google’s search engine linked his name to an incident dating back to 1998. While the court case concerned search results, EU lawmakers took the concept to another level by imposing a “right to erasure” across the bloc.
The extent to which Europeans can take this is still being litigated. Two cases against Google are to be heard before the EU’s highest court later this year. One involves the right to have information about past criminality and political affiliations removed. The other concerns whether such information should remain accessible outside of the EU.
What it says: A company or authority “shall be able to demonstrate that the data subject has consented to processing of his or her personal data” and the consent has to be “freely given” and asked in an “intelligible and easily accessible form, using clear and plain language.”
What it means: Websites have been serving internet users with annoying pop-ups asking if they agree to the terms and conditions. Clicking “I have read [these] and agree” has been dubbed “the biggest lie on the internet” by academics.
Under GDPR, internet service providers will have to try harder. Users will have to understand what they’re signing up to, including if companies such as Facebook and Google use their data to target ads or sell it to others.
The question is what is meaningful, “freely given” consent. Some startups have even specialized in designing new ways to catch people’s attention.
Data breach notification
What it says: A company suffering a hack or breach of its data “shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority” and “shall communicate the personal data breach to the data subject [the user or customer] without undue delay.” (Articles 33 and 34)
What it means: There’s a running joke in privacy circles that there are two types of people: Those that know they have been hacked, and those that don’t yet know they have been hacked. You can check which group you belong to in the online database called Have I Been Pwned?
Since the regulation was adopted, the world has learned of a Yahoo data breach that affected 3 billion users, an Uber data breach that affected 57 million users, an Equifax breach that hit more than 143 million people (mostly in the U.S.) — and many more.
Lawmakers figured out a framework to put responsibility with companies for holding data and protecting it from falling into the wrong hands. Most of all, companies will have to set up a crisis management process for when an intruder manages to snatch the personal data they hold — and they’ll have to be open and transparent with authorities and customers about what happened.
One thing privacy lawyers agree on: Don’t follow Uber’s example. The company hid its data breach from the public eye for over a year and paid hackers to keep it quiet.
Data protection authorities
What it says: Each EU country “shall provide for one or more independent public authorities to be responsible for monitoring the application” of the GDPR. It comes with the power to conduct investigations, ask companies to “provide any information it requires” and fine them. (Chapter VI)
What it means: Europe’s privacy watchdogs will bite. The so-called European data protection authorities have gained prominence as they launched probes into data breaches at Yahoo and Uber or challenged WhatsApp’s data sharing with its parent company Facebook.
These authorities, long-time obscure organizations dealing with citizens’ complaints, are getting more powers and more resources to go after big companies that venture into big data analytics. Many, however, are still growing into their new role.
European authorities have investigated tech firms like Facebook | Carl Court/Getty Images
What it says: “The European Data Protection Board (the ‘Board’) … shall ensure the consistent application of this Regulation.” (Articles 68 to 76)
What it means: A new European super-watchdog is taking shape called the European Data Protection Board. The Board will be officially established when GDPR kicks in in May and include representatives of the national data protection authorities — much like the current Article 29 Working Party, but with a lot more teeth.
The chair of the Board will have one of the highest-profile jobs in European privacy, acting as the voice and face of data protection authorities as they challenge tech giants.
4 percent fines
What it says: Certain “infringements [shall] be subject to administrative fines up to €20,000,000, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.” These fines would be “effective, proportionate and dissuasive.” (Article 83)
What it means: Regulators will hold a stick that’s worth millions, in some cases billions, of euros.
The European Commission previously ordered Ireland to claw back €13 billion from Apple for illegal state aid, and Google got slapped with a €2.42 billion fine for unfair competition practices in its Google Shopping services. But for privacy regulators, fining companies into the billions is a brand new power. It’s scaring many companies into complying with the GDPR.
Privacy by design
What it says: A company or organization gathering personal data has to ensure that, “by default, only personal data which are necessary for each specific purpose of the processing are processed.” (Article 25)
What it means: Everyone from browser services like Mozilla Firefox and Google Chrome to fridgemakers and the “internet of things” industry has to tweak its products to make sure the default setting doesn’t hoover up more data than is needed, and protects personal data immediately. The rule has kickstarted a whole redesign effort by online service providers.
Data protection officer
What it says: Companies handling data that “require regular and systematic monitoring of data subjects on a large scale” need to have a “data protection officer.” (Articles 37, 38 and 39)
What it means: Larger businesses need a point person to manage your personal data, a go-to person that knows the risks to working with data and has the ear of the executives in an organization.
What it says: A user “shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects.” (Article 22)
What it means: Having computers make important life decisions, like whether you can get insurance or how quickly a doctor should treat your illness, is not always a good idea, EU lawmakers think.
Companies and authorities using algorithms to speed up or decrease the workload will have to either ask for users’ explicit consent (see above) or double-check a decision made by an algorithm if the user asks why he was treated in a certain way.
In short: It’s not enough to say “Computer says no.”