A new European data privacy law took effect Friday, ushering in an era intended to better protect the personal data of citizens and overhaul how companies collect, process and store such information.
The new law takes effect as social media giant Facebook has come under fire in the United States in a privacy scandal.
The European Union General Data Protection Regulation (GDPR), which supersedes a collection of regulations in individual countries dating back to 1995, more stringently enforces existing privacy rights.
Companies will continue to gather and analyze data from phones, apps and websites. The significant difference is that companies must now justify reasons for collecting and using the data. They are also prohibited under the new law from using the information for a different reason at a later time.
The new regulations apply to the 28-nation EU, but will also affect both large and small U.S. businesses.
They require firms to clearly explain how they gather and use information. As a result, companies are eliminating legalese as they rewrite their privacy policies.
GDPR specifies six ways companies can justify the use of personal information, including one called “legitimate interests,” a broad reason for companies to keep using data. In such cases, companies must prove that their needs exceed the potential effect keeping the data can have on users’ privacy, according to David Martin, senior legal officer for BEUC, the European Consumer Organization.
Companies must also give consumers the ability to delete information and object to data use under one of the specified reasons. Firms also have to clarify how long they store data.
The rules require companies that experience data breaches to disclose them within 72 hours. It took Yahoo two years to reveal a breach that involved 3 billion accounts.
U.S. companies such as Goggle also have to comply with the new rules. Violators could be fined up to $24 million, or 4 percent of annual global revenue, whichever is greater.
EU-based companies are required to offer the new privacy protections to all their users, even if they are not EU residents.
It remains unclear how GDPR will affect visitors to Europe. A legal officer with the London-based group Privacy International said many questions will be addressed by the courts and the legislature.
Companies can still be less aggressive in obtaining permission to collect data outside of Europe, as they typically assume consent unless the user says otherwise. Firms can delay seeking consent until users visit the EU, at which time they may receive a pop-up notice.
Some companies are implementing EU-type protections to users everywhere, including U.S. software manufacturer Microsoft.
If other countries do not adopt similar privacy rules, which is not expected to happen in the foreseeable future, many firms likely will maintain two sets of privacy standards.