Skip to main content

What Is the GDPR? The EU’s Online Privacy Law: Explained

Privacy wonks won't shut up about 'GDPR,' and it's worth learning why

What is GDPR? And why should I care?

As soon as Facebook’s data abuse scandal broke, questions of legality and regulation quickly came into focus. Most notably, the scandal found itself at odds with a piece of legislation in the European Union (EU) called the General Data Protection Regulation (GDPR), which plenty of Americans were hearing about for the first time.

Even though Facebook is a company based in the U.S., due to the nature of the internet, regulations like GDPR have far-reaching consequences for individuals and companies all around the world. Facebook may have gone to D.C., but GDPR is what it should really be afraid of.

Based in the EU, active worldwide

The GDPR is a landmark piece of legislation in the EU that enshrines stronger data protection and digital privacy laws for EU citizens. Replacing the 1995 Data Protection Directive, the GDPR is an attempt to give internet users more of a say in how their data is used and mandates companies to adhere to strict guidelines on how it is collected, stored, and leveraged. Slated to come into law on May 25 2018, it stands to make a dramatic impact on a variety of international companies and services.

The GDPR is an attempt to give people a say in how their data is used and mandates strict guidelines on how companies collect, store, and leverage it.

Although the GDPR has had its critics, there’s no stopping it now. It was adopted in 2016 and is now set to be implemented and enforceable after a two-year transition period, most recently showing its teeth in the Facebook data abuse case. Even more important in the case of that social network though, is that its data-processing center is in Ireland, making anyone outside of the U.S. and Canada legally covered by the new legislation.

Facebook itself may go even further than that though. During a recent hearing with the House committee, Facebook CEO Mark Zuckerberg said (mostly) clearly that the plan was to extend all new rights under the GDPR to all Facebook users. That would include those within the U.S. and Canada too. That could mean data handling parity and additional privacy tools for American Facebook users.

In turn, that could mean big things for entities like Cambridge Analytica, which make a point of operating in international grey areas. The fact that similar organizations collect data through social networks using their own APIs, could leave those networks vulnerable to the new legislation in turn and may lead to a further crackdown on such practices.

Bill Clark/Getty Images

While all of this may seem a little complicated at first glance, the GDPR’s main purpose is to update international data protection laws for the 21st century. As it stands, countries are bound by laws created in the 1990s with individual EU countries all having their own privacy laws and mandates. Where the 1995 Data Protection Directive allowed for such nuance in different countries, the GDPR is a regulation, which means it is a hard law, not a minimum requirement. The GDPR will attempt to unify Europe’s digital data regulations under one banner to make operating within those countries as a data collector or processor more uniform.

Protections for the individual

Although the GDPR is likely to have the biggest day-to-day impact on the operations of corporations and online businesses, its main purpose is to protect internet users themselves. As part of the GDPR’s implementation, EU citizens will have a number of new powerful rights when it comes to their online information. That data can be as public as their name, or as personal as their medical information. If a company or other online entity collects it or processed that information in any capacity, they are bound to protect it and offer a number of services to the person that data is about.

If a company or other online entity collects it or processed that information in any capacity, they are bound to protect it and offer a number of services to the person that data is about.

The first of these new online rights for EU citizens is a right to be informed about what data is being collected, how it’s being used, and how long it will be retained for. That should mean sites like Facebook have far more in-depth privacy policies and will need to update them regularly as new data uses are employed. Companies may still be able to collect and store data, but not leverage it in any way.

Perhaps the most important power the GDPR gives EU internet users though, is related to the right to objection and “profiling.” Effectively, any website or service which uses personal data for direct marketing or for creating a “profile” of a person for other means, can be requested to cease such operations by the affected user.

Image used with permission by copyright holder

In the case of companies like Google and Facebook, that could mean that users opt out of the very advertising profiling strategies which have made them such mega giants of online advertising. In theory, it could create real problems for their revenue streams — though it’s also possible it could cripple the competition and allow them to consolidate dominant positions.

The big caveat to all of these changes and improvements to online privacy, is that legally, they only extend to EU citizens. However, as with the case of Facebook, it may be that companies wanting to not get caught out by the legislation simply extend the additional rights to all users globally. There is no guarantee of that, but with Facebook leading the way, it’s certainly a possibility.

It is of real importance that organizations take these new regulations seriously, as there are severe sanctions in place should the GDPR be fallen afoul of. While there are low-level sanctions such as a written warning for first-offenses or non-intentional noncompliance, regular data protection audits can follow — and from there the repercussions become steep. Fines of between 20 million euros ($25 million) and four percent of a company’s annual worldwide turnover, whichever is higher are possible, though lesser fines of $10 million or two percent of annual turnover could be applied in other cases.

Editors' Recommendations

Jon Martindale
Jon Martindale is the Evergreen Coordinator for Computing, overseeing a team of writers addressing all the latest how to…
How to control the ads you see online
Control online ad targeting with these crucial settings
ads windows 10 lock screen features users wanted added v2

Tired of ads tracking and targeting you? Beyond the obvious privacy concerns, ad targeting can keep you from seeing ads you might actually be interested in, or potentially reveal your browsing habits to other users on that computer.

As you can guess, many people would rather have more control over what ads they see online, and avoid specific types of ad targeting if possible. To help out, we're going over how to gain more control over online ads on Google, Facebook, and websites as a whole.
Controlling ads on Google
Step 1: First, you need a Google Account, so set one up if you don't already have one. When you're ready, sign into your Google Account. You will immediately see several management sections, the first being Privacy & Personalization. In this block, select the option that says Manage your data & personalization.

Read more
Google to increase privacy online via its new Privacy Sandbox initiative
Google search engine on tablet

Amid mounting concerns about online privacy, Google has taken a step toward addressing those concerns with a few of its own plans for developing what it calls “a more private web.” 

Via a blog post published Thursday, August 22, the technology company announced a new initiative to advance privacy. Referred to as a Privacy Sandbox, Google’s new privacy initiative involves developing “a set of open standards to fundamentally enhance privacy on the web.” But the initiative isn’t just intended to promote privacy, it also apparently aims to support the use of advertising in ways that avoid undermining efforts to preserve users’ privacy. 

Read more
The Winston Privacy Filter hides your online activities from prying eyes
This magic box stops hackers, advertisers, ISPs, and everyone else spying on you
Winston Privacy Filter

Data is big business, and everyone wants a piece of what you're up to when you venture online. The trouble is that many of the companies we trust with our private data are proving extremely untrustworthy. From Facebook to AT&T, it's tough to find a big tech company or service provider that hasn't been caught selling data or accidentally exposing it.

Advertisers go to great lengths to track you online, ostensibly to serve ads more accurately, but that can quickly become more nefarious than it sounds with people being offered different prices or denied insurance based on their online activities. Internet Service Providers (ISPs) can see everything you do and, after overturning net neutrality, they are throttling your speeds for certain sites. All of this comes before we consider the danger of hackers.

Read more