The General Data Protection Regulation, or GDPR, goes into effect today, threatening huge fines for businesses that abuse Europeans’ data.
The dos: From now on, companies everywhere must:
get EU citizens’ consent to collect their personal data and explain what it will be used for
let them see, correct, and delete it upon request
make it easy for users to shift their data to other firms
The don’ts: Companies must not ignore regulators’ requests to fix GDPR failings, nor take more than 72 hours to report a security breach involving personal data. Many still aren’t fully ready for the new regime.
The punishment: The worst offenders can be fined up to 20 million euros ($23 million) or 4 percent of their revenue from the prior year, whichever is greater. There are smaller penalties for less serious transgressions.
The panic: Some American media groups have already blocked EU users from their sites rather than run the risk of fines. The rules also have huge implications for social-media companies like Facebook, which has asked people to update their privacy settings. Privacy activists have already filed complaints against Facebook and Google.
Why this matters: Europe’s tough standards could influence how America and other countries shape their data protection regimes.