EU toughens digital privacy regulations
Laws will require new consent and will limit how personal data used
Users of Facebook, Google and other popular technology platforms are likely to benefit from stricter privacy regulations that, beginning next month, will require new disclosures, new forms of consent and new power to limit how personal data is stored and utilized.
The changes are being announced in emails, blog posts and new on-screen messages that many consumers are already beginning to see from Apple, Twitter, Airbnb, GoDaddy and others. Facebook users will receive new privacy prompts in the coming weeks.
Don’t bother thanking Washington, which remains mired in gridlock despite rising public concerns about data privacy. Rather, the changes emanate from the EU, which is imposing a host of new regulations that are forcing global changes, in- cluding for hundreds of millions of tech consumers in the U.S.
Privacy advocates warn that these changes won’t fundamentally change the relationship between consumers and tech companies, many of which make their profits by collecting data on users, building individual profiles and selling advertising based on the resulting troves of data.
“I don’t know that these companies are making radical differences in what they’re doing,” said Justin Brookman, director of consumer privacy and technology policy for Consumers Union.
But the changes do mark a rare shift toward greater user control and transparency as companies scramble to comply with the European regulations. Those that fail to do so could face fines of up to 4 per cent of global profits. The new laws, known as GDPR, for General Data Protection Regulation, take effect May 25 in the EU.
They require that tech compa- nies use plain language to explain how their data will be used and that users give explicit consent for these uses. As companies create new ways of using data, they must ask again for permission.
Under GDPR, users also are gaining new rights to download their data and move it to other platforms. And there are new restrictions on data collection on users under the age of 16, unless parents or guardians consent.
Companies are not required to apply these same regulations outside the EU. Some, such as Twitter, said they will implement privacy rules differently in the U.S. and Europe. WhatsApp, which is owned by Facebook, announced this week that it was raising the minimum user age to 16 in Europe, but leaving it at 13 for users in the rest of the world, including the U.S.
Many others, however, are choosing to adopt a single global standard because of the logis- tical challenges of maintaining two sets of privacy regimes and also to avoid the potential political and public-relations backlash for giving protections to one set of consumers and not others. Companies say there may be minor variations between privacy standards in the EU and the U.S., but not to a degree most users would notice. Facebook CEO Mark Zuckerberg, during congressional testimony this month, said his company would apply the European standards to U.S. users. A company blog post later elaborated, “Everyone — no matter where they live — will be asked to review important information about how Facebook uses data and make choices about their privacy on Facebook.”
The uneven responses among the companies are frustrating privacy advocates, who argue that the arrival of GDPR offers an opportunity for fundamental change — beyond just a series of new explanations and consent boxes that users are asked to check.