CNET también está disponible en español.

Ir a español

Don't show this again

Explainer Security

What the GDPR means for Facebook, the EU and you

Everything you need to know about the European Union's new data privacy law, regardless of where you live.

Social Media Data Security

 

NurPhoto

The European Union has a new law on the books for protecting data privacy. It's the General Data Protection Regulation, more commonly called the GDPR. This Friday, it goes into effect in the EU's 28 member states.

The law changes the rules for companies that collect, store or process large amounts of information on residents of the EU, requiring more openness about what data they have and who they share it with.

That means you, Facebook.

It also means any company with a digital presence in the EU (which for the time being still includes the UK) will have to comply with the law or face steep penalties.

The deadline to comply with the law has been looming for two years, ever since the European Parliament adopted it in April 2016. When the Cambridge Analytica scandal at Facebook emerged in March, privacy advocates found an eye-catching example of why internet users might want more control over who can access their data.

The GDPR came up several times during Facebook CEO Mark Zuckerberg's testimony before the US Congress in April, and it was a major focus Tuesday when members of the European Parliament questioned Zuckerberg in Brussels. EU officials said they weren't satisfied with the Facebook CEO's answers to questions about the GDPR, and he promised to follow up with answers in writing.

"I think the GDPR in general is going to be a very positive step for the internet," Zuckerberg told US lawmakers, going on to discuss Facebook's plans to tighten data policiesprotect users from further leaks and become more transparent about who's advertising on the site. 

It's not just the household names of the internet like Facebook that will have to comply. Health care providers, insurers, banks and any other company dealing in sensitive personal data will also be on the hook. That's why your inbox is getting flooded with updated privacy policies.

The GDPR will have a significant impact on our online footprints and how the apps and services we use protect or exploit them. Here's what you need to know.

Read: EU to investigate Facebook and Cambridge Analytica data misuse

What is the GDPR?

The General Data Protection Regulation is a sweeping law that gives residents of the European Union more control over their personal data and seeks to clarify rules and responsibilities for online services with European users. It replaces the EU's previous law governing data protection, passed in 1995, and makes some dramatic changes to existing conventions.

The regulation expands the scope of what companies must consider personal data, and it requires them to closely track the data they've stored on EU residents. If someone in the EU wants a company to delete his or her data, send copies of the data, or correct an error in the data, companies have to comply.

Now playing: Watch this: GDPR: Here's what you need to know
1:30

The law goes even further than that. EU residents can now object to specific ways companies are using their data, saying that they don't mind if a company keeps the data as long as it stops using the info for a particular purpose.

What's more, the law requires companies to notify users within 72 hours of a data breach -- something very few companies currently do. For example, during the Equifax breach that exposed the personal information of millions of people in the US and beyond, the company spent weeks stopping the attack and then planning how to deal with the damage before informing the public. 

How will the EU enforce the GDPR?

Each member state of the EU will have its own enforcement mechanism, with one GDPR supervisor per country.

Residents can make complaints to the governing body in their respective country. Companies found in violation of the law will face fines that could be very steep. The maximum fine for a GDPR violation is 20 million euros or 4 percent of a company's annual global revenue from the year before, whichever is higher.

When does the GDPR take effect?

Friday. The regulation was ratified in 2016 and organizations were given a two-year "implementation period" to prepare. This grace period ends on May 25, 2018, when enforcement begins in earnest.

Does this law apply only to companies based in the European Union?

gettyimages-645750099.jpg
Christian Ohde/Getty Images

No -- and this is why it's major international news. The GDPR applies to any organization that collects, processes, manages or stores the data of European citizens. This includes most major online services and businesses that collect, process, manage or store data. Because of this, the GDPR essentially sets a new global standard for data protection.

On Friday, several news websites based in the US stopped operating in Europe, with some saying they are looking for ways to go back online in EU countries.

What kind of data does the GDPR protect?

The regulation applies to a broad array of personal data, including a person's name and government ID numbers. It also protects information that can show a person's activity both online and in the real world. That includes location information, as well as IP addresses, cookies and other data that lets companies track users as they browse the internet.

How will this affect Facebook and other social-media companies?

Many large online services and social-media companies are updating their privacy policies and terms of service to prepare for the new legislation. Facebook's response is sure to be closely scrutinized by European regulators, given the Cambridge Analytica scandal as well as past concerns about the company's data collection. Austrian privacy advocates filed complaints on Friday, the first day the GDPR went into effect, against Google and Facebook, as well as Instagram and WhatsApp (both owned by Facebook.)

These include the kerfuffle in 2007 over the company's controversial Beacon advertising program that broadcast user activity on partner sites. And don't forget user uproar when Facebook and its subsidiary Instagram claimed to own user profile data and photos. The GDPR makes it much clearer that these kinds of activities aren't OK.

Now playing: Watch this: Seven of our favorite moments from Zuck's congressional...
2:42

In his testimony during a joint hearing of the Senate's Judiciary and Commerce Committees on April 10, Zuckerberg stated his support "in principle" for a GDPR-like opt-in standard for users before they give up their data -- but he didn't commit, adding "details matter." (Zuckerberg's notes, which he left open during a short break, included a warning: "Don't say we already do what GDPR requires.")

Read: Zuck to Congress: I welcome regulation -- if it's the right regulation

How will this affect me, a non-EU resident?

Facebook, Microsoft, Twitter, Apple and others have all offered users beyond the European Union some additional rights over their data.

But those rights don't have the force of law behind them, which means you can't file a complaint against Microsoft for violating the GDPR if you aren't an EU resident. While you enjoy these rights only as long as a company says you do, it does show that the European regulations are reshaping the way major companies approach user data.

The other way this affects you is with the barrage of privacy policy updates you've likely received over the past few months. Many companies crafted new privacy policies in advance of the GDPR going into effect, and then they told you about it all at the same time. 

Read: How to delete your Facebook account

Could the EU fine Facebook for sketchy things it did in the past?

Seems not. In an interview with Bloomberg, EU Justice Commissioner Vera Jourova said the new GDPR rules "cannot be applied in this [Cambridge Analytica scandal], because there's no retroactivity possible." 

A key balances on a circuit board.
James Martin/CNET

How does the regulation affect hacks and breaches? 

The GDPR requires companies that have lost control over customer data, or that've been hacked, to notify users within 72 hours. That's one of the rules that carries the maximum penalty. For instance, if Facebook was found to have failed to comply, it could be liable for a $1.6 billion penalty (based on its 2016 annual revenue of $40 billion).

Are there special protections for minors?

The GDPR requires businesses and organizations to obtain parental consent to process the personal data of children under the age of 16. 

Does the US have any legal equivalent to the GDPR?

No. Most states have their own laws governing data breaches and notification requirements, and most apply to only a limited type of data: Social Security numbers and health or financial information.

The SEC recently issued guidance on how public companies should disclose breaches and risks.

Californians could be voting on a data privacy law this year, the California Consumer Personal Information Disclosure and Sale Initiative. That would let residents request copies of their data from companies, find out which third parties companies have sold their data to, and ask companies not to sell or share their personal data.

First published April 4 at 6:00 a.m. PT.
Updated April 11 at 1:24 p.m. PT: Added Mark Zuckerberg quotes and other information from his appearances before Congress
Updated May 24 at 5:00 a.m. PT: Added more details about the law and its impact outside the EU and about Zuckerberg's appearance before the EU Parliament.
Updated May 25 at 11:58 a.m. PT: Added information on privacy policies and GDPR complaints against Google and Facebook.

Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.

Protect Yourself: A guide to the different ways you can protect your privacy online.