Today marks the beginning of a long-awaited and, in some circles, long-feared era—the General Data Protection Regulation (GDPR) is officially in effect. In the months leading up to today, many technology companies have been scrambling to comply with the new regulation. The GDPR, among other things, permits individuals to request their data and restricts how business entities may collect and handle the information of residents of the European Union (EU). Referred to as the “right to be forgotten,” the GDPR allows for persons to request the data that a company holds on them, and demand its deletion.
Another remarkable provision is that the Regulation requires businesses to clearly outline how an individual’s information is being handled, with fines that could total in the billions, for some, acting as the reprimand for noncompliance. Further still, the GDPR contains two Articles (33 & 34) that outline reporting and notification requirements in the event of a data breach, thereby centralizing the data breach reporting process. This is notable because the United States currently faces a propagation of lawsuits related to data breaches, and one response has been passage of “notification” statutes by all states requiring businesses who suffer a data breach to notify affected individuals. There is discussion that the federal government in the United States should undertake passing legislation to require a uniformed process for notification in the event of a data breach. It seems likely, therefore, that the U.S. government will be closely watching the impact this uniformed reporting requirement has.
Elsewhere in the world, the EU’s bold step in individual data protection serves as the inspiration for nations seeking to create their own data protection laws. For example, Brazil has consulted the EU as it drafts its own data protection bill—which closely mirrors the European one. Why might this be? On the one hand, an optimist might say that the desire for a country to protect the personal data of its citizens is of critical concern to it. On the other, however, a more realistic reason might be that the GDPR limits what data entities can transfer outside of the EU, unless the data goes to a country meeting European standards. It follows, then, that if a nation like Brazil complies with the rigid standard outlined in the GDPR, trade agreements will be more easily effectuated—since what will likely serve as a crucial precondition is satisfied: personal data protection.
Further, the passage of the GDPR perturbed the tech titans of Silicon Valley and prompted lobbying efforts in Brussels because they feel the EU unfairly focuses on them and their operations. For example, the EC recently fined Google €2.42 billion for breaching European Antitrust laws with its ad preference algorithm. As the EU seeks to police the regulations of the GDPR and issue fines to noncompliant companies, the blowback will provide for an edge-of-your-seat-like atmosphere.
Happy GDPR Day to all and to all one question: are you compliant?