Over the past couple of months—maybe on the internet, maybe in a story on TV news—you have likely heard the acronym, “GDPR.” If you do not work in the technology industry and are not at least casually interested in tech, it’s possible these stories failed to earn a slice of your preciously finite attention. However, as a reader of our blog (and therefore a member of this internet), GDPR affects you directly and you should understand how.
What is GDPR?
The General Data Protection Regulation is a law, enacted by the European Union in May of this year that overhauls the policies governing collection and processing of online data. It massively expands the rights of individuals to control their own personal information. The law applies to all “data controllers”—that is, any website, app, etc. that collects data from its users—and guarantees a number of protections. The most important of these protections are:
- Highest privacy settings must be engaged by default. If you sign up for Facebook today, you must manually opt-in for the public to see your posts. By default, Facebook sets the privacy level so that only friends can see your activity.
- All personal data must be encrypted. You may remember last year’s data breach on Home Depot’s website. The attack was so effective largely because Home Depot had stored usernames and passwords in plain text (rather than encrypting them and rendering this information meaningless without a decryption key). The encryption mandate in GDPR should prevent such breaches in the future.
- Right to access. You now have a right to know everything an online service knows about you. You also have a right to download that information in a portable format. Services like Facebook and Google have already complied and now provide a way for users to download their data. We will see more providers follow suit in the next several months.
- Right to erasure. Europeans have the right to request that a provider delete information they have collected about you. The nuances of this element of law are complicated, but the EU’s precedent so far seems to suggest a powerful scope (as established in the 2014 case, when EU judges ruled Google must remove an individual’s name from search results).
Okay, but if this is European law, why does it affect me, an American?
As an American, you probably expect that European law does not affect you. This is true to an extent. Only citizens of the EU have legal recourse if their rights under GDPR are infringed upon. GDPR, however, applies to all companies doing business in the EU, including American companies and those located elsewhere in the world. So far, most large internet companies seem to be implementing GDPR compliance globally out of good will (read, “self-interest”) and convenience. This means you, even as an American, will have access to many of the same features as the European market. Perhaps more importantly, GDPR defines a new standard for internet privacy laws, which may eventually be implemented in American legislation as well.
At this point you might be thinking, “cool, more privacy!” If you are skeptical though, you may be wondering why GDPR is necessary in the first place—what transgressions were so unacceptable that they justify enacting a law??
I’m glad you're curious. We will explore this topic further in part 2.
To be continued, keep watching.
Our Latest Podcast Episode
Check out one of our latest podcast episodes where I sit down with the rest of the Pixel & Hammer team and dive deep into GDPR & internet privacy!