CNET también está disponible en español.

Ir a español

Don't show this again

Explainer Security

How Facebook is responding to Europe's new GDPR privacy rules

Everything you need to know about the EU's new data privacy law.

Social Media Data Security



The European Union is raising the standards -- and stakes -- of personal data privacy. In May 2018, the General Data Protection Regulation (GDPR), will take effect and change the rules of the road for companies that collect, store or process large amounts of user information. That means you, Facebook.

The law will impact businesses and users far beyond the borders of the continent, however. Every company that operates in Europe, or has European users, will be required to observe the GDPR's stricter privacy standards and give users more access to and control over their own data.

The GDPR came up several times during Facebook CEO Mark Zuckerberg's testimony before Congress on April 10 and 11. "I think the GDPR in general is going to be a very positive step for the internet," he said, as well as discussing Facebook's plans to tighten data policiesprotect users from further leaks and become more transparent about who's advertising on the site. 

Without a doubt, the GDPR will be a significant factor in guiding Facebook's data privacy policies moving forward. Given that many online businesses have European customers or users, whether or not they have offices or store data there, the EU is essentially setting a new global standard for data and privacy. And it's not just Facebook, Google and other big internet companies that will have to comply: Health care providers, insurers, banks and any other company dealing in sensitive personal data will also be on the hook.

The timing is auspicious. Security breaches that have exposed credit card numbers and other sensitive personal data -- at companies such as Saks, Lord & TaylorOrbitz, Uber and Equifax, to name just a few -- are ever more common. The new law underscores increasing government interest in how companies seek to protect and profit from the data they collect. 

The GDPR will have a significant impact on our online footprints and how the apps and services we use protect or exploit them. Here's what you need to know.

Read: EU to investigate Facebook and Cambridge Analytica data misuse

What is the GDPR?

The General Data Protection Regulation is a sweeping law that gives European citizens more control over their personal data and seeks to clarify rules and responsibilities for online services with European users. It replaces the EU's previous directive governing data protection, passed in 1995, and makes some dramatic changes to existing conventions, including:

  • Unifying the rules for how companies should handle the data of European citizens
  • Expanding the scope of what's understood to be personal data
  • Clarifying the roles and responsibilities of those who control and process data
  • Streamlining enforcement authority to one supervisor per member state
  • Compelling companies to notify consumers of a data breach within 72 hours
  • Intensifying the penalties for noncompliance

When does the GDPR take effect?

The regulation was ratified in 2016 and organizations have been given a two-year "implementation period" to prepare. This grace period ends on May 25, 2018, when enforcement begins in earnest.

Does this law apply only to companies based in the European Union?


Christian Ohde/Getty Images

No -- and this is why it's major international news. The GDPR applies to any organization that collects, processes, manages or stores the data of European citizens. This includes most major online services and businesses that collect, process, manage or store data. As such, the GDPR essentially sets a new global standard for data protection.

Who enforces the GDPR?

The European Union parliament passed the law in April 2016, and each member state will have its own supervising authority.

What kind of data does the GDPR protect?

The regulation applies to a broad array of personal data including name, ID numbers and location, as well as IP addresses, cookies and other digital fingerprints.

Here's how the EU's Protection Supervisor defines it:

"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

How will this affect Facebook and other social media companies?

Many large online services and social media companies are updating their privacy policies and terms of service in order to prepare for the new legislation. Facebook's response is sure to be closely scrutinized by European regulators, given the company's checkered past with regard to user data. The recent Cambridge Analytica scandal, in which millions of US voters had their Facebook data misappropriated by consultants working for Donald Trump's presidential campaign, is only the most recent mishap.

In 2007, the company abandoned its controversial Beacon advertising program that broadcast user activity on partner sites. And Facebook and its subsidiary Instagram have attempted to suggest that they own user profile data and photos in the past. The GDPR makes it much clearer that these kinds of activities aren't OK.

Now Playing: Watch this: Seven of our favorite moments from Zuck's congressional...

In his testimony during a joint hearing of the Senate's Judiciary and Commerce Committees on April 10, the Facebook CEO stated his support "in principle" for a GDPR-like opt-in standard for users before they give up their data -- but didn't commit, adding "details matter." (Zuckerberg's notes, which he left open during a short break, included a warning: "Don't say we already do what GDPR requires.")

Read: Zuck to Congress: I welcome regulation -- if it's the right regulation

How will this affect me?

The ways that Facebook uses personal data has come under intense scrutiny in the wake of the Cambridge Analytica scandal, prompting many users to delete their accounts. In January, Facebook said it would introduce a new privacy center to group its privacy settings in one place to comply with the GDPR.


James Martin/CNET

Many companies have already sent notifications to users about updated privacy policies. In addition to embedding new information in its recent iOS update, Apple has announced that it will roll out new privacy management tools that make it simpler to get a copy of your data, request a correction to your data, deactivate your account and delete your account completely.

Read: How to delete your Facebook account

Could the EU fine Facebook for sketchy things it did in the past?

Seems not. In an interview with Bloomberg, EU Justice Commissioner Vera Jourova said the new GDPR rules "cannot be applied in this [Cambridge Analytica scandal], because there's no retroactivity possible." 

How does the regulation impact hacks and breaches? 

The GDPR requires companies that have lost control over customer data, or who have been hacked, to notify users within 72 hours. Organizations found in breach of the new rules can be fined up to 4 percent of their annual global revenue. If Facebook was to be found failing to comply, for example, it could be liable for a $1.6 billion penalty (based on its 2016 annual revenue of $40 billion).

Are there special protections for minors?

The GDPR requires businesses and organizations to obtain parental consent to process the personal data of children under the age of 16. 

Does the US have any legal equivalent to the GDPR?

No. Most states have their own laws governing data breaches and notification requirements, and most apply only to a limited type of data -- social security numbers and health or financial information. The SEC recently issued guidance on how public companies should disclose breaches and risks. 

The Transatlantic Consumer Dialogue, a coalition of US and European consumer groups, has called on Facebook to adopt the GDPR's new standards including its expansive definition of personal data and requirement for rapid, comprehensive notification in case of a breach.

Updated April 11 at 1:24 p.m. PT: Added Mark Zuckerberg quotes and other information from his appearances before Congress.