What's changing under new data privacy rules

May 18, 2018 by Anick Jesdanun
What's changing under new data privacy rules
In this July 1, 2013, file photo, a communication technician works at a phone and internet cable closet, at the European Council building in Brussels. New data and privacy rules take effect in Europe a week from Friday, clarifying rights that people have over how companies around the world collect and analyze personal data for targeted advertising and other tasks. (AP Photo/Yves Logghe, File)

Europe's new data and privacy rules take effect a week from Friday, clarifying individual rights to the personal data collected by companies around the world for targeted advertising and other purposes.

Years in the making, the rules are prompting companies to rewrite their privacy policies and in some cases, apply the European Union's tougher standards even in the U.S. and other regions where privacy laws are weak. Although they take effect as Facebook faces an enormous privacy crisis , that timing is largely coincidental.

Not much will change for you, at least right away; companies will keep on collecting and analyzing personal data from your phone, the apps you use and the sites you visit. The big difference is that now, the companies will have to justify why they're collecting and using that information.

So now companies are flooding their users with notices that aim to better explain their practices and the privacy choices they offer. European Union regulators have new powers to go after companies that get too grabby or that don't tell you clearly what they're doing with your data.

Here's a look at what the rules say and what they mean for consumers in the EU and elsewhere.



That's when the EU's General Data Protection Regulation takes effect. Instead of separate rules in separate nations across Europe, there's now a single set for the entire EU.

The new rules apply to all users in the 28-nation EU, regardless of where the companies collecting, analyzing and using their data are located. So the rules will affect giants such as Facebook and Google and small U.S. businesses with just one European client alike.



Companies have to use plain language to explain how they collect and use data. While companies generally aren't changing what they're doing, they are revising privacy policies to eliminate legalese. Google is embedding video (from its YouTube service, of course) to further explain the concepts.

GDPR spells out six specific ways that companies can justify the "processing," or use, of personal data. Some are obvious, such as to fulfill contractual obligations—for instance, when an insurer pays out a claim. For other uses, such as ad targeting, companies can seek your consent. Those that aren't sure they got consent properly are now going back to users.

There's also a somewhat vague category called "legitimate interests." It's a catch-all justification that companies can fall back on to keep using data, though the company must show that its needs outweigh potential impact on users' privacy, said David Martin, senior legal officer for the European consumer group BEUC.

Companies are also required to give EU users the ability to access and delete data and to object to data use under one of the claimed reasons. Firms have to clarify how long they retain data.

And the rules force companies that suffer data breaches to disclose them within 72 hours. By contrast, it took Yahoo more than two years to reveal a breach that ultimately involved three billion users .



Facebook, Google and their ilk may be headquartered in Silicon Valley, but they have millions of users in Europe—and so have to comply with the new rules. Violators face fines of up to 20 million euros ($24 million) or 4 percent of annual global revenue—whichever is greater. That's an incentive for companies to take these rules seriously.



Companies based in the EU have to offer these privacy protections to all their users, not just EU residents. Beyond that, the EU rules merely say they apply to "data subjects who are in the Union."

But it's an open question how the rules will affect visitors to Europe. Ailidh Callander of the London-based group Privacy International says many questions will be tested in courts and further rulemaking.

What's clear is that companies won't have to be as aggressive getting consent for data collection outside of Europe. (Absent regulation, companies typically assume consent unless a user says otherwise.) They can hold off seeking affirmative consent until you visit the EU, at which point you might confront a pop-up notice.



Some companies are extending at least some EU-style protections to all users. But they won't face legal repercussions or fines if they fail to follow through with users outside the EU.

So unless the U.S. and other countries adopt privacy rules similar to those in the EU— something that's not likely any time soon—many companies are likely to maintain double privacy standards.

Facebook CEO Mark Zuckerberg, for instance, promised "global settings and controls" for users during his U.S. congressional testimony in April, but was otherwise vague on the subject. When asked if U.S. users would have the same rights Europeans have to object to the use of data, Zuckerberg said, "I'm not sure how we're going to implement that yet."

But segmenting EU customers from the rest of the world isn't easy, especially for smaller companies without Facebook's or Google's technical prowess. "It might seem like a smart move, but in some cases, it's more work," said Larry Ponemon, founder of the privacy research firm Ponemon Institute.

Explore further: EU's tough new data protection rules

Related Stories

EU's tough new data protection rules

April 11, 2018

The European Union introduces tough new data protection rules next month to give people more control over the way their personal information is used online, as Facebook is grilled over the Cambridge Analytica scandal.

Facebook to launch privacy center ahead of EU regulations

January 31, 2018

Facebook says it will launch a new privacy center to help people understand what it does with their data as the giant social network prepares for sweeping new data protection rules in Europe designed to rein in the growing ...

Facebook rolling out privacy choices under EU rules

April 18, 2018

Facebook announced Wednesday it would begin rolling out changes to how it handles private data this week to comply with forthcoming EU rules, with European residents seeing the measures first.

Recommended for you

Semimetals are high conductors

March 18, 2019

Researchers in China and at UC Davis have measured high conductivity in very thin layers of niobium arsenide, a type of material called a Weyl semimetal. The material has about three times the conductivity of copper at room ...

1 comment

Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet May 22, 2018
"It might seem like a smart move, but in some cases, it's more work,"

What's more work? Just don't snoop on people and you'll be fine.

Make your money by decent means - not by selling other people's privacy.

Making money out of things like targeted ads is legalized swindling, because the businesses that pay the adverts are taking the money out of their customers, so the person who the ad is targeted for is also paying the ad, without their consent.

The theory of advertising is to provide people with information about product availability, which is a valuable service. The practice of advertising is anything but - it doesn't actually work, because the advertisers aren't trying to inform you, they're trying to persuade you into buying things, or just spam your awareness with brands without marketing anything specific. That makes it a waste of time and effort for the society at large.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.