The Brand New General Data Protection Regulation In The EU

June 11, 2018
Jay Kesan from the University of Illinois College of Law

Jay Kesan from the University of Illinois College of Law

University of Illinois College of Law

If you have online accounts with social media sites, e-commerce companies or any other businesses which have your personal information, you are probably receiving several notifications through your email about privacy policy updates from them during the past weeks.  This is because the deadline, May 25th, for them to be GDPR-compliant has just passed.

GDPR stands for General Data Protection Regulation.  It was adopted by the European Union in April 2016 to protect the data security and privacy of people in the Union, or “data subject”, which is the term used in this regulation.  Companies collecting or processing the personal information of data subjects had two years to get ready and be compliant.  The focus of the regulation is to restrain companies from abusing user data and to make the process of data collecting and handling more transparent to data subjects.  In addition, under the GDPR, data subjects have the right to control the data collected by companies, such as correcting wrong personal information, requesting a copy of collected data and erasing personal information, also known as the “right to be forgotten,” under certain circumstances.

The GDPR applies to not only EU companies, but also to businesses outside the EU handling personal information of data subjects located in the European Union.  The scope of this regulation can be interpreted expansively because the data subjects to be protected are not necessarily EU citizens.  The specific wording of the regulation refers to data subjects “in the Union”, so by its language, it could conceivably apply to protect the personal data of Americans on vacation in Europe.

Besides its broad scope, the GDPR imposes heavy fines on companies that are found to not be compliant.  Under the GDPR, there are two tiers of administrative fines.  The lower tier—up to 10 million Euros or 2% of the company’s global annual revenue—is for violations like failing to report data breach incidents in a timely manner.  The higher tier—up to 20 million Euros or 4% of global annual revenue, whichever is higher, is for violations of data subjects’ rights and unlawful data processing practices.  To many companies, a fine as large as 4% of annual revenue is a significant percentage of their profit for a whole year.  Some analysts believe that a fine this big is unlikely as the regulation says fines must be “effective, proportionate and dissuasive”.

How the fines are set up suggests that the regulation is going to have a bigger impact on small businesses than on the large ones, because for small businesses a 10-million-Euro, minimum fine for the lower tier might be greater than 2% of their annual revenue, and so they may end up paying relatively more than large companies do.  In addition, large companies like Google or Facebook have more technical resources to implement data protection measures as required by GDPR and more legal resources to be compliant.  According to a survey conducted by a security research firm, Crowd Research Partners, about the challenges of being GDPR-compliant, 43% of the interviewed firms suggest that they do not have expert staff, and 40% of the firms say that they are lacking the budget to comply.  In short, many firms may have to decide to be fined or try to be compliant at greater cost.

The GDPR has been in force for only a couple of weeks.  There are still a lot of uncertainties about how firms should comply with it, and how it will be enforced.  But it is a good starting point of improving data protection, and perhaps in the future, we may see fewer incidents like Facebook Cambridge Analytica scandal.