May 25, 2018 introduces a sweeping new directive that goes into effect in the European Union (EU) called the General Data Protection Regulation, or GDPR. It represents the biggest change ever to data privacy laws. The new law effects US users as well.
The law protects residents of the EU including US citizens living abroad. Under the GDPR, all companies that have an Internet presence including large US companies including Google, Microsoft and Facebook, have to comply.
To simplify things, the basic purpose the GDPR is to expand what counts as personal data and your rights over that data. Examples of “your data” are things such as posts on social media, electronic medical records and even your IP address (the unique ID numbers used to identify your smartphone or laptop), as well as GPS location.
The directive says people have to give permission for a company to collect their data. A company can’t just sign you up without explicitly asking. And the more personal the data the ask must be even more clear.
Europeans have a right to have their data deleted if they don’t want a company to keep it. Companies have to delete the data without undue delay, or face stiff penalties.
I’m certain that you have noticed an increase in emails from your apps and other digital correspondence outlining new privacy notices that allow for you to request them to delete personal data they have stored.
A recent blog for NPR by Aarti Shahani quoted Minnesota attorney Micheal R. Cohen as saying “there’s nothing binding about (the request),” He went on to say that “In the U.S., the business model is pretty much, companies can do what they want, so long as there isn’t a specific law prohibiting it.” The U.S. has laws protecting data privacy for health and financial records, and and for children. “Other than that, we’re pretty much the Wild West,”
This is only the beginning of the personal data privacy debate. Over 80 countries and independent territories, including nearly every country in Europe and many in Latin America and the Caribbean, Asia, and Africa, have now adopted comprehensive data protection laws. The United States is notable for not having adopted a comprehensive information privacy law, but rather having adopted limited sectoral laws in some areas.
These laws are based on The Fair Information Practice that was first developed in the United States in the 1970s by the Department for Health, Education and Welfare (HEW). Some of the basic principles of data protection are:
- For all data collected there should be a stated purpose
- Information collected by an individual cannot be disclosed to other organizations or individuals unless specifically authorized by law or by consent of the individual
- Records kept on an individual should be accurate and up to date
- There should be mechanisms for individuals to review data about them, to ensure accuracy
- Data should be deleted when it is no longer needed for the stated purpose