The European Union has a new law on the books for protecting data privacy. It's the General Data Protection Regulation, more commonly called the GDPR. This Friday, it goes into effect in the EU's 28 member states.
The law changes the rules for companies that collect, store or process large amounts of information on residents of the EU, requiring more openness about what data they have and who they share it with.
That means you, Facebook.
It also means any company with a digital presence in the EU (which for the time being still includes the UK) will have to comply with the law or face steep penalties.
The deadline to comply with the law has been looming for two years, ever since the European Parliament adopted it in April 2016. When the Cambridge Analytica scandal at Facebook emerged in March, privacy advocates found an eye-catching example of why internet users might want more control over who can access their data.
The GDPR came up several times duringin April, and it was a major focus Tuesday when members of the . EU officials said to questions about the GDPR, and he promised to follow up with answers in writing.
"I think the GDPR in general is going to be a very positive step for the internet," Zuckerberg told US lawmakers, going on to discuss Facebook's plans to, and become about on the site.
It's not just the household names of the internet like Facebook that will have to comply. Health care providers, insurers, banks and any other company dealing in sensitive personal data will also be on the hook. That's why your inbox is getting.
The GDPR will have a significant impact on our online footprints and how the apps and services we use protect or exploit them. Here's what you need to know.
What is the GDPR?
The General Data Protection Regulation is a sweeping law that gives residents of the European Union more control over their personal data and seeks to clarify rules and responsibilities for online services with European users. It replaces the EU's previous law governing data protection, passed in 1995, and makes some dramatic changes to existing conventions.
The regulation expands the scope of what companies must consider personal data, and it requires them to closely track the data they've stored on EU residents. If someone in the EU wants a company to delete his or her data, send copies of the data, or correct an error in the data, companies have to comply.
The law goes even further than that. EU residents can now object to specific ways companies are using their data, saying that they don't mind if a company keeps the data as long as it stops using the info for a particular purpose.
What's more, the law requires companies to notify users within 72 hours of a data breach -- something very few companies currently do. For example, during the Equifax breach that exposed the personal information of millions of people in the US and beyond, the company spent weeks stopping the attack and then planning how to deal with the damage before informing the public.
How will the EU enforce the GDPR?
Each member state of the EU will have its own enforcement mechanism, with one GDPR supervisor per country.
Residents can make complaints to the governing body in their respective country. Companies found in violation of the law will face fines that could be very steep. The maximum fine for a GDPR violation is 20 million euros or 4 percent of a company's annual global revenue from the year before, whichever is higher.
When does the GDPR take effect?
Friday. The regulation was ratified in 2016 and organizations were given a two-year "implementation period" to prepare. This grace period ends on May 25, 2018, when enforcement begins in earnest.
Does this law apply only to companies based in the European Union?
No -- and this is why it's major international news. The GDPR applies to any organization that collects, processes, manages or stores the data of European citizens. This includes most major online services and businesses that collect, process, manage or store data. Because of this, the GDPR essentially sets a new global standard for data protection.
On Friday,, with some saying they are looking for ways to go back online in EU countries.
What kind of data does the GDPR protect?
The regulation applies to a broad array of personal data, including a person's name and government ID numbers. It also protects information that can show a person's activity both online and in the real world. That includes location information, as well as IP addresses, cookies and other data that lets companies track users as they browse the internet.
How will this affect Facebook and other social-media companies?
Many large online services and social-media companies are updating their privacy policies and terms of service to prepare for the new legislation. Facebook's response is sure to be closely scrutinized by European regulators, given the Cambridge Analytica scandal as well as past concerns about the company's data collection. Austrian privacy advocates filed complaints on Friday, the first day the GDPR went into effect,, as well as Instagram and WhatsApp (both owned by Facebook.)
These include the kerfuffle in 2007 over the company's controversial Beacon advertising program that broadcast user activity on partner sites. And don't forget user uproar when Facebook and its subsidiary Instagram. The GDPR makes it much clearer that these kinds of activities aren't OK.
In his testimony during a joint hearing of the Senate's Judiciary and Commerce Committees on April 10, Zuckerberg stated his support "in principle" for a GDPR-like opt-in standard for users before they give up their data -- but he didn't commit, adding "details matter." (, which he left open during a short break, included a warning: "Don't say we already do what GDPR requires.")
How will this affect me, a non-EU resident?
But those rights don't have the force of law behind them, which means you can't file a complaint against Microsoft for violating the GDPR if you aren't an EU resident. While you enjoy these rights only as long as a company says you do, it does show that the European regulations are reshaping the way major companies approach user data.
Could the EU fine Facebook for sketchy things it did in the past?
Seems not. In an interview with Bloomberg, EU Justice Commissioner Vera Jourova said the new GDPR rules "cannot be applied in this [Cambridge Analytica scandal], because there's no retroactivity possible."
How does the regulation affect hacks and breaches?
The GDPR requires companies that have lost control over customer data, or that've been hacked, to notify users within 72 hours. That's one of the rules that carries the maximum penalty. For instance, if Facebook was found to have failed to comply, it could be liable for a $1.6 billion penalty (based on its 2016 annual revenue of $40 billion).
Are there special protections for minors?
The GDPR requires businesses and organizations to obtain parental consent to process the personal data of children under the age of 16.
Does the US have any legal equivalent to the GDPR?
No. Most states have their own laws governing data breaches and notification requirements, and most apply to only a limited type of data: Social Security numbers and health or financial information.
on how public companies should disclose breaches and risks.
Californians could be voting on a data privacy law this year, the California Consumer Personal Information Disclosure and Sale Initiative. That would let residents request copies of their data from companies, find out which third parties companies have sold their data to, and ask companies not to sell or share their personal data.
First published April 4 at 6:00 a.m. PT.
Updated April 11 at 1:24 p.m. PT: Added Mark Zuckerberg quotes and other information from his appearances before Congress
Updated May 24 at 5:00 a.m. PT: Added more details about the law and its impact outside the EU and about Zuckerberg's appearance before the EU Parliament.
Updated May 25 at 11:58 a.m. PT: Added information on privacy policies and GDPR complaints against Google and Facebook.
Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.
Protect Yourself: A guide to the different ways you can protect your privacy online.
US Tech Policy
reading•What the GDPR means for Facebook, the EU and you
Oct 9•How to register to vote before time is up
Sep 28•Google CEO Sundar Pichai to testify before US House in November
Sep 25•Snapchat wants to make sure you're registered to vote
Sep 8•Facebook and Twitter in DC: What the congressional hearings looked like up close