Europe’s new data privacy rules, the General Data Protection Regulation, have taken effect, but what they actually mean remains to be discovered. And whether the GDPR, as it’s known, really helps protect your private data may depend on complaints that Max Schrems, an Austrian privacy activist, filed against Google, Facebook, Instagram and WhatsApp on the day the regulation went into effect.
It’s not a U.S. law, but the GDPR applies to all companies, located anywhere in the world, that offer goods or services to EU residents, or that monitor online activities of people in the EU. As a result, many large multinational companies have chosen to comply with the GDPR worldwide, rather than trying to differentiate between customers and users located in the EU and elsewhere.
Although the GDPR is in many ways similar to the EU’s previous privacy rules, it offers the tantalizing possibility of giving people real control over their data for the very first time—though it might take years to sort out.
Giving notice
Like many privacy rules, the GDPR is based on the principles of notice and choice. A company that wants to collect your personal information must first give you notice about what data it proposes to collect and what it plans to do with it. You then choose whether to allow the company to collect the data. The concept is part of the Fair Information Practice Principles, a set of privacy guidelines first formulated in a 1973 federal report that now form the basis of many privacy regulations in the U.S. and abroad.
In the mid-1990s the U.S. Federal Trade Commission began urging operators of websites to post privacy policies that provide this type of notice. In 2003, the state of California began requiring a posted privacy policy on all websites collecting information from California residents. As a result of this prodding, most commercial websites now display a privacy policy to anyone curious enough to click on a hyperlink labeled “Privacy” at the bottom of the website’s home page.
It’s not a U.S. law, but the GDPR applies to all companies, located anywhere in the world, that offer goods or services to EU residents, or that monitor online activities of people in the EU. As a result, many large multinational companies have chosen to comply with the GDPR worldwide, rather than trying to differentiate between customers and users located in the EU and elsewhere.
Although the GDPR is in many ways similar to the EU’s previous privacy rules, it offers the tantalizing possibility of giving people real control over their data for the very first time—though it might take years to sort out.
Giving notice
Like many privacy rules, the GDPR is based on the principles of notice and choice. A company that wants to collect your personal information must first give you notice about what data it proposes to collect and what it plans to do with it. You then choose whether to allow the company to collect the data. The concept is part of the Fair Information Practice Principles, a set of privacy guidelines first formulated in a 1973 federal report that now form the basis of many privacy regulations in the U.S. and abroad.
In the mid-1990s the U.S. Federal Trade Commission began urging operators of websites to post privacy policies that provide this type of notice. In 2003, the state of California began requiring a posted privacy policy on all websites collecting information from California residents. As a result of this prodding, most commercial websites now display a privacy policy to anyone curious enough to click on a hyperlink labeled “Privacy” at the bottom of the website’s home page.
Comments