The GDPR represented the first time that a major government body stood up to Big Tech by enacting legislation that would impose limits on the pervasive collection and use of personal data that had become the norm.
What is the GDPR?
The General Data Protection Regulation (GDPR) is legislation passed by the European Parliament and the Council of the European Union that regulates the ways in which companies or organizations can collect and use your data. The biggest change that the GDPR made to the way internet companies operate is that it requires consent to collect your data. It also outlines a series of core principles that companies need to follow when processing personal data, outlined below. You can read the full text of the GDPR here.
Why was the GDPR needed?
According to the full text of the GDPR, there were two main reasons that drove the law into being: globalization and technological advancements.
- Globalization. When the GDPR was written, each EU member state had its own way of dealing with data protection, but over 90% of Europeans wanted the same data protection rights across the EU. The increased flow of information across borders made enforcing data protection laws difficult, as those wishing to avoid more stringent laws could easily process data in a more lax European country.
- Technological advancements. Instead of standardizing existing laws, the GDPR went a step further, strengthening data protection on a new level—one that was more compatible with rapidly advancing technology. The world looked quite different in 2018 than it did in 1995, when the first European data law was passed. Technology like location services and cookies allowed advertisers to leverage personal data like never before.
Who does the GDPR apply to?
Although the GDPR only applies to companies or organizations that collect data from or offer goods or services to EU citizens or residents, you don’t have to be located in the EU to experience the impact of the GDPR. Because the internet is global, the rules that apply to the EU essentially apply everywhere, as it’s impractical for companies to have separate procedures for users outside of the EU.
The 7 GDPR principles
The GDPR holds data processors (organizations that use personal data in any way) to the following seven principles, outlined in Article 5 of the GDPR:
- Lawfulness, fairness, and transparency. This means that anything done with your data should not only be legal, but it should be easy for you, the data subject, to understand. For data processing to be legal, the data subject needs to consent.
- Purpose limitation. Data should only be used for the purpose(s) expressed when first collected. For example, if you visit a store and ask to have your receipt emailed to you, your purchase history should not be linked to your email account and used to serve you ads. (This happens all the time in the United States.)
- Data minimization. Companies and organizations should collect the minimum amount of consumer data needed for their stated purpose.
- Accuracy. Organizations and companies have an obligation to make sure the data they collect is accurate. If you believe that data collected about you is inaccurate, you can dispute it.
- Storage limitation. Data should only be stored as long as necessary—that means storing data indefinitely in case it becomes useful someday is a no-go. In fact, data controllers (owners or employees of a company or organization involved in decision-making regarding data) are obligated to let data subjects know exactly how long their data will be stored.
- Integrity and confidentiality. Companies are required to protect user data by maintaining high levels of cybersecurity to prevent a personal data breach. In the event of a data breach, organizations have 72 hours to notify those affected.
- Accountability. The data controller must be able to demonstrate compliance with all of the GDPR requirements and principles. Public authorities and companies engaged in large-scale data processing are required to appoint a Data Protection Officer (DPO) to ensure GDPR compliance.
Your rights under the GDPR
In addition to the seven principles that inform how organizations use data, the GDPR also outlines eight rights that data subjects (i.e. users) have.
- The right to information. Information about the way in which your data is collected and processed should be “concise, transparent, intelligible and easily accessible.” You have the right to know the identity and contact information of the information controller, the purpose of the data collection, and anytime a third party is involved. (Articles 12 and 13)
- The right of access. You have the right to not only know how your data is being used, but to receive a copy of the personal data that is being processed. (Article 15)
- The right to rectification. You have the right to correct any inaccurate data about yourself. (Article 16)
- The right to erasure. Also known as the right to be forgotten, you have the right to have all of your personal information erased from an organization’s databases “without undue delay” (within about a month). (Article 17)
- The right to restriction of processing. You can restrict processing of your data if you believe the data is inaccurate or the processing is unlawful or unnecessary. This option exists for circumstances in which you object to data processing but don’t want to erase your data. (Article 18)
- The right to data portability. This is the right to transfer, or port, your data from one controller to another. The right to data portability protects you from having your data “stuck” with one service when you would prefer to move to another. (Article 20)
- The right to object. You have the right to object to data processing at any time, and upon your objection, the organization in question has a legal obligation to stop processing your data. (Article 21)
- Rights regarding automated decision-making and profiling. You have the right to not be subject to decisions made by automated processing alone, including profiling, if these decisions have significant or legal consequences. (Article 22)
How is GDPR compliance enforced?
The enactment of the GDPR created the European Data Protection Board, which is made up of national data protection authorities from each EU country, called supervisory authorities (SAs). Each country’s SA is responsible for regulating the companies which have their European headquarters in that country. For example, Ireland is responsible for Apple, Facebook, Google, LinkedIn, and Twitter. Individuals can file complaints with their country’s SA, and regulators are required to respond to every complaint they receive.
The SA can then file a court case, which may result in fines. The fines for GDPR non-compliance can be steep: up to €20 million (almost $25 million) or 4% of revenue—whichever one is higher. But court proceedings are often lengthy, and according to a February 2020 survey, 21 out of 30 national data protection authorities do not have enough resources to enforce the GDPR. So far, the only major tech company to have faced GDPR fines is Google, which was fined €50 million in 2019 by the French data protection authority for failing to adequately disclose how it collects data across its many services to serve targeted advertisements.
A brief history of European privacy laws
Although the GDPR felt revolutionary, in some ways it was a natural extension of previous regulation. Here’s how data protection regulations have evolved:
- 1950: The European Convention on Human Rights determines that “everyone has the right to respect for his private and family life, his home, and his correspondence.” Although this predated the invention of the World Wide Web by almost 40 years, the right to privacy will serve as an important foundation for future data privacy laws.
- 1995: The European Data Protection Directive established standards for data security and privacy. Each of the EU member states was responsible for enforcing these standards.
- 2011: The European Union began requiring all websites to get users’ consent before serving or accessing cookies.
- 2016: The General Data Protection Regulation passed in European Parliament. Businesses and organizations affected by GDPR would have a two-year grace period to develop their compliance strategies.
- 2018: The GDPR went into effect, and all companies and organizations were expected to be compliant.
Is the GDPR enough for data protection?
Since its implementation in 2018, the GDPR has had wide-ranging consequences. Several countries rushed to update their data privacy legislation, since one provision of the GDPR is that data can only be ported to countries that meet GDPR standards. So far, the only countries that have received a positive “adequacy decision” from the European Commission are Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay.
In the United States, the major player has been California, which passed its data privacy law, the California Consumer Privacy Act (CCPA) in 2018. The CCPA, which grants rights similar to but not as far-reaching as the GDPR, went into effect in 2020. Pressure has also come from industry. In 2019, Tim Cook, the CEO of Apple, called for Congress to pass standardized data protection legislation similar to the GDPR. In the absence of any such legislation, Apple released its new App Tracking Transparency feature in 2021, allowing users to opt out of tracking across apps and websites accessed from Apple devices.
As movement towards increased protection of personal data continues, there are a few things you can do to keep your own data private, such as blocking cookies or switching to a private search engine.
If you’d prefer a search experience where you don’t have to worry about tech companies watching and recording your every move, try Neeva. Neeva is the world’s first private, ad-free search engine, committed to showing you the best results for every search. We will never sell or share your data with anyone, especially advertisers. Try Neeva for yourself, at neeva.com.