The General Data Protection Regulation, or GDPR, goes into effect today, threatening huge fines for businesses that abuse Europeans’ data.
The dos: From now on, companies everywhere must:
- get EU citizens’ consent to collect their personal data and explain what it will be used for
- let them see, correct, and delete it upon request
- make it easy for users to shift their data to other firms
The don’ts: Companies must not ignore regulators’ requests to fix GDPR failings, nor take more than 72 hours to report a security breach involving personal data. Many still aren’t fully ready for the new regime.
The punishment: The worst offenders can be fined up to 20 million euros ($23 million) or 4 percent of their revenue from the prior year, whichever is greater. There are smaller penalties for less serious transgressions.
The panic: Some American media groups have already blocked EU users from their sites rather than run the risk of fines. The rules also have huge implications for social-media companies like Facebook, which has asked people to update their privacy settings. Privacy activists have already filed complaints against Facebook and Google.
Why this matters: Europe’s tough standards could influence how America and other countries shape their data protection regimes.