A new European Union data privacy law is causing headaches for many American businesses.
It’s called General Data Protection – or GDPR for short – and it went into effect Friday.
It’s also why you may have noticed many websites now requiring you to agree to new privacy policies before granting access to their sites.
Debbie Reynolds, a global data protection and privacy expert at law firm Eimer Stahl, says that Europe has long been sensitive about citizens’ private data and privacy rights because of its dark history, in particular the use of personal data by the Nazis to identify and kill their enemies.
“As a result of the way Nazi Germany was using information about people to make life-or-death decisions about them, the EU decided that privacy was a fundamental human right,” Reynolds said.
The EU passed data privacy legislation in 1995, when the internet was still in its infancy, enshrining the right to privacy as a fundamental human right.
But Reynolds notes that since then, at least two key events led the Europeans to believe they needed to strengthen privacy protections.
“The first was the enactment of the Patriot Act (in the United States) – a lot of Americans’ data privacy rights were curtailed because of that. Labelling things as terrorism gave the state vast power to control people’s data – even including the data of EU people at that point,” she said. “The next thing that happened that was really big was the Edward Snowden-NSA hacking incident with WikiLeaks, which highlighted the ways personal data was being used by the U.S. in ways that the EU was not happy about.”
Reynolds notes that the EU has long believed U.S. data privacy protections to be inadequate. And GDPR is the response.
“Under GDPR, anyone in the EU has to give their explicit and affirmative consent for a company to use their data. They can decide at any time to revoke their consent. They can ask to see what data (a company has) about them. And they can ask that you delete or return it,” Reynolds said.
Although there is nothing in the new law that would force U.S. companies to adopt GDPR data protection standards for non-EU citizens, large companies with global operations don’t want to have to have multiple data privacy policies for different countries. And with the EU being such a large market, they have little choice but to meet the new, higher data privacy standard.
By comparison, American data privacy laws are largely a patchwork of legislation that varies from state to state.
Reynolds believes the new EU law is already having some positive effects here.
Reynolds joins Phil Ponce to discuss the implications of GDPR on businesses and consumers.