After the first dozen emails about the European Union’s General Data Protection Regulation from businesses, I stopped counting. After the first two, I stopped reading.
You’re probably in the same boat — because unfortunately, the GDPR didn’t require everybody to notify you at the same time.
And even though the regulation passed two years ago, and every major company should have known it was coming, many are still scrambling to comply with the new rules that went into effect late last month. A whopping 84 percent said they don’t understand what the regulation means to their business and 59 percent said they don’t have the resources to comply. Great.
If you haven’t bothered to learn what the GDPR is all about, I don’t blame you: Obviously businesses haven’t done their homework, either. But it’s actually a great idea, so I want to talk about how it works and what we could do better here.
What the GDPR does — and doesn’t cover
Isn’t this all a European thing? Well, no. Because big businesses operate internationally, and because it’s an enormous hassle to have one set of rules for Europeans and another set for everybody else, the EU in some ways gets to shape broader policy.
It’s sort of like how California’s stricter regulations sometimes spread to affect products and services for everybody in the U.S. They were the first to implement smog checks, bike helmet requirements, a smoking ban.
And now the EU is the first to take data privacy seriously. Companies are of course free to maintain different sets of rules for Americans. They’re also free to shut out the European market so they don’t have to deal with the regulatory headache. But in many cases we’ll be getting secondhand benefits from our friends across the pond.
The regulation covers all “personal data” collected within EU countries, even by American companies. That means it should cover American expats living in the U.K., but it wouldn’t affect Europeans on vacation at Disney World. And, like I said, it wouldn’t affect data collected in the U.S. about Americans at all — unless companies change their overall practices just to make things easier.
Their definition of personal data is also beautifully encompassing — it includes any information that can be used to identify people, even indirectly, such as IP addresses and passwords. That also means stuff like photos and biometrics, which we all increasingly share across a number of smart devices. It covers both marketing data and financial transactions.
Data privacy laws of our own
The crux of the GDPR is to give consumers not just awareness of how their data is used, but control over whether it is gathered and used in the first place — and how it is protected.
Marketing that targets Europeans (so not just generic international English-language marketing) must obtain “freely given, specific, informed, and unambiguous” consent to use their data in a specific way. And companies can’t bundle that consent into one checkbox: If they want to put you on an email list and also share your data with third parties, you have to agree to both things separately. An opt-out approach won’t work, nor will dumping on them a lengthy “terms and conditions” page nobody will ever read.
Contrast that with how things work here. We take it as a given that our data will be collected, abused, sold, and stolen. We’re so beaten up on the subject that literally half of us expect to be identity theft victims in 2018 and many would gladly turn over personal data to save a few bucks at the store.
And there are stiff penalties for failing to comply with the GDPR — up to $24 million or 4 percent of global revenue, whichever is higher. Contrast that with the collective shrug here.
The GDPR also requires companies to notify authorities about data breaches within 72 hours of realization, with follow-up reports as the facts come clear. It also encourages them to maintain a database of all breaches that happen, and forces them to include compliance requirements among all their contractors, too.
Contrast that with here, where a year ago Equifax had one of the worst breaches ever, didn’t realize for over two months, and didn’t tell the public for another six weeks. Congress then turned around and rewarded Equifax with a bit of deregulation.
We need our own GDPR. When you look at the trend toward identity theft as the top consumer complaint over the past decade (maybe the recent spate of robocalls will finally top it) or the string of Facebook privacy scandals leading to people deleting their accounts, it’s obvious. Nine in 10 Americans believe it’s unethical for personal data to be shared without their consent and two-thirds worry about data security. The same study found 84 percent of Americans who understand what the GDPR is about support the regulations.
It’s an easy model to copy, and we can ditch things we’re not comfortable with. For instance, the European “right to be forgotten” weirds me out a little bit. Being able to delete your own marketing data makes sense, but not anything anybody has ever said about you. (Although the GDPR does specify the right does not extent where “exercising the right of freedom of expression and information,” I can see that getting twisted in court.)
Realistically, it should be folded into regulations on the biggest houses of our data — tech companies like Google and Amazon, and the credit bureaus. Americans should have the option to review, for free and in one simple central place, all the data kept on them at least once per year. We should be able to order errors corrected, and have false or outdated information removed, just like we can with credit reports. And unlike credit reports, when it comes to marketing data, we should be able to just delete whatever we want.
None of this is terribly likely to happen. Certainly not in a midterm election year, and maybe not ever with this Congress. But the GDPR is a great example of what we could have if we actually insisted on serious data privacy and security.
Article last modified on July 12, 2018. Published by Debt.com, LLC . Mobile users may also access the AMP Version: What Would An American GDPR Look Like? - AMP.
Article last modified on July 12, 2018. Published by Debt.com, LLC .