Last week, the European Parliament took a huge step towards finalizing its continent-wide data protection and privacy rule when it agreed to the language of the General Data Protection Regulation (GDPR), which regulates the use of EU citizens’ data. The GDPR has been years in the making, so its release and contents are no surprise to those who have been following the developments closely, but that doesn’t make its finalization any less significant. The Regulation will harmonize data protection laws across the EU and replace the current piecemeal, country-by-country, approach.
The EU has long placed a premium on the right to privacy, so the actual requirements in this law are, in many ways, no more onerous than those than many individual countries already had in place. The major difference, however, is that enforcement mechanisms have been strengthened immensely. Companies can now be fined up to 4% of their annual global revenue for a violation of the GDPR, which for some large companies could reach into the billions of dollars. Given the EU’s recent treatment of U.S. tech companies, there are legitimate concerns that the GDPR could be enforced unfairly against them. Uneven enforcement is an even greater concern given that all 28 individual member state Data Protection Authorities (DPAs) will have the ability to enforce the law, and may not do so evenly, especially considering how vague the rules appear to be.
Some of the other new pieces of the GDPR are codification of the “right to be forgotten” law already in place, strong data protection rules, rules requiring notification of how an individual’s collected data is used, and an option for DPAs to raise the age of data consent from 13 to 16.
The rules are expected to be voted into law early next year, and companies will then have two years to come into compliance before enforcement begins. It thus won’t be until 2018 that we begin to see how the GDPR actually functions in practice. Until then, it will be up to U.S. companies and Congress to show the EU that we value individual privacy, and that our privacy regime is much stronger than it’s given credit for. Unfair or not, our companies have become the targets of the European DPAs in recent years, and we now have two years to assert our vision and support for privacy protections and seek appropriate changes to the Directive.
