What is the GDPR?This year has proven to be a defining one for the tech industry with incidents like Meltdown and Specter, the Cambridge Analytica scandal and consequent Facebook hearings dominating headlines. In a timely coincidence, the European Union, over the course of the past few years, has developed the most extensive piece of privacy legislation ever created. Dubbed the General Data Protection Regulation (GDPR), these rules go into effect on May 25, 2018, and it’s speculated that they could substantially strengthen Internet privacy around the globe. In this post, we’re going to cover the ins and outs of this new legislation and discuss some of the potential effects it could have on your online life.

What is the GDPR?

The GDPR can be viewed as a modernization of the 1995 European Data Protection Directive. Given how much the Internet has changed since 1995, the GDPR provides consumers with more rigorous privacy protections in light of the complexities of the Internet in the era of social media and big data. Most notably, the legislation enhances the rigor of privacy through the following provisions:

  • Data transparency and justified processing. Several parts of the GDPR spell out that a consumer (referred to as “data subject”) must give affirmative consent to the collection of their data and that the purposes for which data can be collected are limited to what is strictly necessary. For example, service-critical data required to carry out the functions of a given platform or data needed to comply with the law would be deemed necessary.
  • Breach Notification. Aspects of the GDPR also talk about breaches, especially breach notification and response time, which has been set to 72 hours after a company learns about a breach.
  • Right to object. Among the many consumer rights the GDRP says companies have to respect is the right for consumers to object to how aspects of their data are used, including provisions allowing consumers to reject some degree of data profiling and direct marketing.
  • Right to Access. Consumers also have the right to request a copy of data that’s been collected on them, not just from web services, but from other entities too, like employers. Data must also be easily portable or transferable in the instance that consumers wish to move their data to another service.
  • Right to be Forgotten. The GDPR reinforces protections European consumers already have around data erasure (data clearing or wiping) and the requests consumers can make to delete their information from the Internet.
  • Privacy by Design. Privacy by design is a standard security slogan, but the GDPR is really the only legislation that mandates it in some form. This ties into the objective that data collection and processing be justified, and thus, systems must be designed in a way that only data deemed absolutely necessary can be collected from users.

The GDRP also mandates that companies have appropriate security measures that match the present state of technological development at any given time and are sufficient for the level of data they protect.

How does the GDPR affect you?

While the GDPR’s jurisdiction is limited to the EU, the legislation directly affects not just companies operating out of the EU, but also those choosing to do business in the EU, as well. This means that large multinational Internet conglomerates like Google, Facebook, Amazon, etc. must comply with the GDPR. Though compliance is only supposed to affect these companies’ operations within the EU, some experts and pundits are suggesting that the GDPR will likely provide the push for Silicon Valley companies to consider creating privacy rules of their own for users outside of the EU – if only to be proactive and get ahead of any future scandals. One prominent reason for this optimism is because the open nature of the Internet makes it somewhat impractical to completely contain some of the benefits of the legislation. At the very least we should expect to see some spillover effects, which seems to be illustrated by the fact that many tech services are making updates to their terms of service across different geographies.

But while it is true that the Internet can make it both harder for tech companies to selectively apply regulations and easier for consumers to globally compare notes to see who’s getting the better deal, some experts caveat that we should not expect tech companies to opt to deploy a broad swath of GDPR-like rules globally. This is a valid point that’s best illustrated by Facebook’s response to the GDPR. Despite Mark Zuckerberg’s (admittedly tepid) support for applying GDPR rules globally, Facebook recently announced that only European users would be getting substantive privacy changes. This makes sense, given that Facebook might see a 7% decrease in revenue due to GDPR and thus, has no incentive to apply these rules universally. That might not matter, however, as some states in the U.S., like California, are considering regulations of their own. During the Facebook hearings, we caught a glimpse of this, as some members of Congress expressed interest in the GDPR and others revealed that they were working on privacy bills for their constituents. It is worth noting, though, that none of these bills mentioned during the hearing were as robust as the GDPR.

What should we expect from the GDPR?

One guaranteed benefit of the GDPR for non-Europeans is that many services, especially the large tech giants, have at the very least, begun to make their terms of service documents less opaque. These changes are supposed to coincide with GDPR compliance, and they are the reason why you might have seen emails and messages about companies changing their terms and conditions. This increased transparency might seem like a concession or consolation to non-European users, but some are hopeful it’s a start toward improved user relations, however slowly that change might progress.

Outside of this, the GDPR’s effects are not completely clear. There are concerns that despite European legislators’ best efforts, in the long term the GDPR might actually empower the world’s largest companies economically. There’s evidence to suggest that small companies historically have a harder time adjusting to regulation than industry incumbents, especially if they’re already large and have a lot of money and clout. It might be too soon to tell, however, how the regulation will play out.

Another concern, held by security researchers, is that the current GDPR provisions as they are will wreck WHOIS, a useful tool that we’ve suggested users access when attempting to identify fake websites. WHOIS, which is managed by the Internet Corporation for Assigned Names and Numbers (ICANN), is also useful for automating anti-spam tools and identifying trends among cybercriminals. There have been pushes to have the EU carve out temporary exceptions until a solution is created, but these have failed. While the GDPR is a demanding piece of legislation, some experts are pointing out that ICANN, which has known about the GDPR for years, has failed to produce or take ownership of any proposals to preserve a GDPR compliant WHOIS database.

Despite the current list of predicted benefits and consequences of the legislation, determining the real benefits of the GDPR – especially for those of us outside of Europe – isn’t something that can easily be done. The law’s effects will come down to the way the it’s enforced as well as what strategies companies have for approaching the regulation.

For more information on the tech news stories that impact you, keep reading our technology blog.