While consent is at the front of our collective consciousness — for a number of significant reasons that have nothing to do with online privacy — it’s also at the heart of a new law in Europe, going into effect this week, that mandates companies be more forthcoming about what it is customers are actually agreeing to when they consent to sharing their personal information.
The European Union’s General Data Protection Regulation is a set of privacy regulations that limit the ways in which companies can collect and use their customers’ personal data. While the law formally goes into effect on May 25, many companies have already taken steps to be in compliance — including sending emails to their customers and posting new terms-of-use agreements on their websites.
The law affects all companies that have user data from European citizens, but the execution of its requirements will have a noticeable, international ripple effect. Pablo Molina, DLS, Drexel’s chief information security officer, who is a noted expert in data privacy and technology ethics, recently helped to explain how this law could change the way we think about our online presence and who we trust with our personal information.
What is the new law?
The new European Union General Data Protection Regulation, known as GDPR, is the new privacy law for the 28 countries presently in the European Union. It regulates the activities of organizations —corporations, non-profits and government agencies — that process and control information about people who are in the European Union.
Which companies will be affected by it?
Because the internet is global and most businesses have an internet presence, many companies are subject to GDPR. This is the case even for companies that operate mostly in the U.S.
How could users in the U.S. be affected by it?
U.S. internet users will benefit from more transparency about how companies use their data. We will also be able to understand better the privacy settings and notices on websites. It will be easier to give or withdraw our consent for the use of our data.
What changes could we notice this week?
As organizations ramped up their efforts to comply with GDPR, we already saw some of the effects of it. Both large technology companies — Google, Facebook and Twitter, to name a few — and small ones, recently translated their privacy practices from hard-to-understand legal language to common language.
They sent us emails or displayed pop-up windows on their websites to alert us about these changes. Companies that send email announcements must now regularly request our consent before sending more emails.
Can companies still collect and share personal data?
They can, but they have to be transparent about it. We can consent to it or not. And we can withdraw our consent at will. With the new law, the companies are also responsible for the data not only when they have it, but also when they transfer the data to other organizations.
Would a law like this have prevented the Facebook-Cambridge Analytica situation?
Yes. Because of the potential fines for engaging in wrongful data practices, both Facebook and Cambridge Analytica would have thought twice about sharing user data without consent or transparency. The application of GDPR to this case could have resulted in a fine of up to $1.6 billion against Facebook.
What is the penalty for companies that violate the new law?
The fines can be hefty. For technical problems, the fines could be up to 10 million Euro or 2 percent of a company’s global revenue. For serious failures, the fines could be up to the greater of 20 million Euro or 4 percent of a company’s global revenue.
Pablo Molina is the founder and executive director of the International Applied Ethics and Technology Association and a board member of the Electronic Privacy Information Center — two preeminent information security and technology watchdog groups. He will be participating in a discussion this week about the General Data Protection Regulation at the Spanish Agency for Data Protection in Madrid.
For media inquiries contact Britt Faulstick, bef29@drexel.edu or 215.895.2617.
