The U.S. takes credit for creating the Internet, and the European Union seems determined to govern it. On Friday, a sweeping new directive goes into effect called the General Data Protection Regulation, or GDPR. Taken together, its 99 articles represent the biggest ever change to data privacy laws. The new rules have implications for U.S. Internet users too.
Here are answers to three questions you might have about the new law and its potential impacts.
What is GDPR?
It's a new law that protects residents of the EU — people living there, including Americans. (If you're a European and live in the U.S., you're not protected.) Under GDPR, all companies that have an Internet presence — including large American companies like Google, Microsoft and Facebook — have to comply.
At the most basic level, GDPR expands what counts as personal data and your rights over that data. Your data is, for example, what you post on social media, your electronic medical records and your mailing address. It's also your IP address (a string of numbers that's unique to your smartphone or laptop), as well as GPS location.
The directive says people have to give permission for a company to collect their data. A company can't just sign you up without explicitly asking. And the more personal the data — say, biometrics, which is considered a special category under the law — the ask must be even more clear.
Europeans have a right to have their data deleted if they don't want a company to keep it. Companies have to delete the data without undue delay, or face a penalty.
I live in the U.S. How does it impact me?
If you're American, you're probably getting a lot of emails and push notifications from your apps and maybe even newsletters you forgot you signed up for. For example, new privacy notices from Spotify and eBay say you can request to delete personal data they've stored.
"But there's nothing binding about it," says attorney Michael R. Cohen, who is based in Minneapolis. "In the U.S., the business model is pretty much, companies can do what they want, so long as there isn't a specific law prohibiting it." The U.S. has laws protecting data privacy for health and financial records, and and for children. "Other than that, we're pretty much the Wild West," Cohen says.
That's how as many as 87 million Facebook users had their profiles land in the hands of a political operative. Last month, in testimony before Congress, Facebook CEO Mark Zuckerberg said he'd give Americans all the same controls Europeans have.
"We believe that everyone around the world deserves good privacy controls. We've had a lot of these controls in place for years. The GDPR requires us to do a few more things, and we're going to extend that to the world," he said.
In reality, Zuckerberg isn't offering the same protections. For Facebook users, there is a big difference between Europe and the U.S. when it comes to what is collected by default. In Europe, Facebook has to get permission to do facial recognition — and it's not the default setting. But in the U.S., it is. American users have to click through screens to opt out.
Will the new law hurt businesses that rely on data collection?
That is a key debate right now. One side argues that GDPR will be terrible for competition, giving big businesses a leg up over small ones. Small companies won't be able to afford the millions of dollars in expenses that come with managing and protecting data. So they won't survive.
Another camp argues that consumers don't trust businesses on the Internet anymore anyway (as evidenced by the rise of ad blockers). If that's the real problem, the laws will make a difference by making businesses think more deeply about what data they collect and why, and GDPR may improve the quality of the Internet.
But it's too early now and this is all a guessing game at this point.