Journal of Information & Privacy Law

GDPR, or the latest acronym that aims to protect users’ online data

By Keri Mikuska, Staff Editor on Thursday, April 18th, 2019
0 Flares 0 Flares ×

In the past several months, internet users may have noticed that a significant number of websites have been displaying pop-up banners, asking users to accept the site’s new privacy policy. Many users click “accept” and don’t give it a second thought; their acceptance is likely stored in the user’s internet browser, and the website will not prompt the users again, unless a user deletes his or her cookies.

But why are so many websites suddenly asking to track users?

The answer is the European Union’s General Data Protection Regulation (“GDPR” or EU Regulation 2016/679), which went into effect on May 25, 2018.

The European Union enacted the GDPR for the purpose of protecting the personal data—specifically data collected over the internet as a result of recent technological advances—of subjects within the EU. And it’s not only member countries of the European Union that are subject to GDPR: any entity that offers goods or services to, or otherwise monitors data subjects in the EU is subject to this regulation. This makes companies across the globe subject to the GDPR if they offer good or services to individuals in the EU, even if the only service is merely access to a website. Failure to comply may result in substantial fines of up to 20 million euros or four percent of the company’s total revenues. In January 2019, France assessed a $57 million fine to Google for failure to comply with GDPR. Further, damages are not necessary to trigger liability under the GDPR; a company’s non-compliance may be enough to trigger penalties.

The GDPR is a complex regulation, but at its heart is the aim to allow individuals control over their own, unique personal data in a transparent and understandable way. Businesses (and any “controller” or “processor” of personal data) must be able to do the following in order to comply with the GDPR:

  • Obtain consent from users before collecting their data. Users must consent before a company can begin collecting personal data. The company must notify users what data they are collecting and for what purposes, and it must provide users with a way to opt-out before collection begins and after collection has occurred. Implied consent is not enough.
  • Deliver all personal data to an individual upon request. Users have the right to know what personal information is collected and why it is collected. Most users are aware that when they are completing a form or making a purchase, they are providing that form or purchase information to the company and one or multiple processors. However, many users were previously unaware of other personal data collected for marketing or other purposes. Under the GDPR, companies must provide a download or export of every single data point they have collected on an individual, and it must be provided within a reasonable timeframe.
  • Delete all personal data belonging to an individual upon request. Similar to the request above, at any time, individuals may request that a company deletes their data and stops collecting future data. These provisions require that companies who collect personal data have a process and mechanism for identifying data as belonging to a specific individual, toggling collection, and destroying that one user’s data.

The requirement to separate out data belonging to an individual user requires some companies to make changes to the backend configuration of their websites. Most have since upgraded their systems to comply with the GDPR, resulting in pop-up banners and prompts to accept cookies to end users. Other companies have instead taken measures to ensure their goods and services are simply not offered to data subjects in the EU. In addition to blocking access by EU users, one newspaper website in Arizona went so far as to update its privacy policy to clearly state: “This Site is not intended for use by persons located within the European Economic Area (EEA).” There are, however, exceptions to the applicability of this regulation. For example, data obtained for a lawful purpose is not subject to the GDPR, nor is data that has been truly anonymized and is thus unidentifiable as belonging to an individual person.

In June 2018, the state of California passed its own data privacy law, the California Consumer Privacy Act of 2018, which is similar to the GDPR but focused on data subjects within the state of California. The California Consumer Privacy Act (CCPA) is scheduled to go into effect on January 1, 2020. This will be the first comprehensive online privacy law for U.S. citizens, and as technology continues to advance and change the way individuals interact on the internet, regulations like this serve to encourage responsible practices for collecting and using personal data. Currently, Congress is considering enacting U.S. consumer privacy regulation similar to GDPR on a federal level. A current bill in the Senate, the Consumer Data Protection Act of 2018, proposes giving the Federal Trade Commission the authority to set nationwide standards for the collection and processing of personal data, as well as the ability to administer fines and criminal penalties for violations.

Others believe that the GDPR is a “disaster for free speech,” particularly when it is applied in such a way that forces a journalist to give up his sources, as it recently did with an investigative piece in Romania.

In an age where technology and social media pervade everyday life, where the lines between public and private are increasingly blurred, an individual’s right to privacy is more important than ever.

The full text of the EU regulation can be found here.

0 Flares Twitter 0 Facebook 0 0 Flares ×

Leave a Reply