The Economist describes Europe’s new data privacy law, GDPR, set to go into effect on May 25:
The new law was mostly written by privacy-conscious Germans. Consent to collect and process personal data now has to be “unambiguous” and for “specific” purposes, meaning that catch-all clauses hidden in seldom-read terms and conditions, such as “your data will be used to improve our services”, will no longer be sufficient. “Data subjects” can demand a copy of the data held on them (“data portability”), ask for information to be corrected (“right to rectification”), and also request it to be deleted (“right to be forgotten”).
As a result the GDPR ensures that all organisations which collect and keep data will take their use (and abuse) much more seriously. Take the fines. Under the GDPR’s predecessor, an EU directive dating from 1995, fines were negligible. The upshot was that firms gave data protection little attention and few resources. But the risk of hefty penalties has raised privacy to a board-level matter. “We have support from the top down,” says Susan Bandi, who is in charge of data security and privacy at Monsanto, an agrochemicals company.
There has never been a more consumer- and person-friendly data privacy law than GDPR. We can all hope for a ripple effect where adhering to GDPR’s rules becomes the easiest solution for companies worldwide; unfortunately, that’s not likely for giants like Facebook and Google. But it is a huge step forward for Europeans, and a model of what a good personal data protection law looks like.