US Companies Must Comply with European Data Privacy Laws
US companies usually don't need to concern themselves much with foreign laws, if they don’t have offices in foreign countries.
That's about to change.
The GDPR was approved in 2015 and is scheduled to take effect on May 25. It regulates what types of information companies can collect, store, and use about residents of the 28 countries in the EU.
The rules apply to companies that have customers in the EU, even if the company itself is based outside the EU.
The Right to be Forgotten
Among other things, the GDPR deals with the "right to be forgotten."
In 2014, the highest court in the EU ruled that people had the right to influence what information about them was available in an online search and that search engines like Google should allow people to be "forgotten" or "erased" by removing links to web pages after a period of time.
As the Times noted, people don't necessarily want their drunken college pictures available online for the rest of their lives.
The GDPR rules also require parental consent before children under 16 can use some digital services — including Facebook, Instagram, and Snapchat — unless the EU country where the children are located allows access at a younger age.
Companies are also required to notify national regulators of any data breaches within three days. Many past data breaches involving personal consumer information have gone unreported for months.
A company that fails to comply with the GDPR can be fined 4% of its annual revenue — hundreds of millions of dollars for large companies.
Complying with the new rules isn’t a simple matter. As the Times notes,
Facebook and Google have deployed hundreds of people to make sense of the regulations. Many of the companies have overhauled how they give users access to their own privacy settings. Some have redesigned certain products that suck up too much user data. And in some cases, companies have removed products entirely from the European market because they would violate the new privacy rules.
Facebook has started offering a new privacy center that puts user security setting on a single page rather than on several different pages.
Last year, Facebook announced a program that uses artificial intelligence to monitor postings by Facebook users for indications that they intended to commit suicide. The program will not (at least for now) be available in Europe because the company needs to ask users for sensitive personal health data in order for the program to work.
The EU has a much more stringent approach toward consumer privacy than the US does. Commentators suggest that the EU privacy initiative may spread to the rest of the world, including the US, as consumers seek more control over their private information.