Years in the making, the rules are prompting companies to rewrite their privacy policies and in some cases, apply the European Union’s tougher standards even in the U.S. and other regions where privacy laws are weak. Although they take effect as Facebook faces an enormous privacy crisis that timing is largely coincidental.
Not much will change for you, at least right away; companies will keep on collecting and analyzing personal data from your phone, the apps you use and the sites you visit. The big difference is that now, the companies will have to justify why they’re collecting and using that information. And they’re prevented from using data for a different purpose later.
So now companies have been flooding their users with notices that aim to better explain their practices and the privacy choices they offer. EU regulators have new powers to go after companies that get too grabby or that don’t tell you clearly what they’re doing with your data.
Here’s a look at what the rules say and what they mean for consumers in the EU and elsewhere.
THE BIG DEAL WITH MAY 25 AND WHY IT WAS IMPORTANT
That’s when the EU’s General Data Protection Regulation takes effect. Instead of separate rules in separate nations across Europe, there’s now a single set for the entire EU.
The new rules apply to all users in the 28-nation EU, regardless of where the companies collecting, analyzing and using their data are located. So the rules will affect giants such as Facebook and Google and small U.S. businesses with just one European client alike.
WHAT DO THE NEW RULES SAY?
Companies have to use plain language to explain how they collect and use data. While companies generally aren’t changing what they’re doing, they are revising privacy policies to eliminate legalese. Google is embedding video (from its YouTube service, of course) to further explain the concepts.
GDPR spells out six specific ways that companies can justify the “processing,” or use, of personal data. Some are obvious, such as to fulfill contractual obligations — for instance, when an insurer pays out a claim. For other uses, such as ad targeting, companies can seek your consent. Those that aren’t sure they got consent properly are now going back to users.
There’s also a somewhat vague category called “legitimate interests.” It’s a catch-all justification that companies can fall back on to keep using data, though the company must show that its needs outweigh potential impact on users’ privacy, said David Martin, senior legal officer for the European consumer group BEUC.
Companies are also required to give EU users the ability to access and delete data and to object to data use under one of the claimed reasons. Firms have to clarify how long they retain data.
And the rules force companies that suffer data breaches to disclose them within 72 hours. By contrast, it took Yahoo more than two years to reveal a breach that ultimately involved three billion users.
FOR COMPANIES OUTSIDE EUROPE
Facebook, Google, and their ilk may be headquartered in Silicon Valley, but they have millions of users in Europe — and so have to comply with the new rules. Violators face fines of up to 20 million euros ($24 million) or 4 percent of annual global revenue, whichever is greater. That’s an incentive for companies to take these rules seriously.
WHAT ABOUT USERS OUTSIDE THE EU?
Companies based in the EU have to offer these privacy protections to all their users, not just EU residents. Beyond that, the EU rules merely say they apply to “data subjects who are in the Union.”
But it’s an open question how the rules will affect visitors to Europe. Ailidh Callander of the London-based group Privacy International says many questions will be tested in courts and further rulemaking.
What’s clear is that companies won’t have to be as aggressive getting consent for data collection outside of Europe. (Absent regulation, companies typically assume consent unless a user says otherwise.) They can hold off seeking affirmative consent until you visit the EU, at which point you might confront a pop-up notice.
A GLOBAL DOUBLE STANDARD
Some companies are extending at least some EU-style protections to all users. Among leading tech companies, Microsoft made the strongest promise to offer EU rights to users everywhere. However, companies outside the EU won’t face legal repercussions or fines if they fail to follow through with users outside the EU.
So unless the U.S. and other countries adopt privacy rules similar to those in the EU— something that’s not likely any time soon — many companies are likely to maintain double privacy standards.
Facebook CEO Mark Zuckerberg, for instance, promised “global settings and controls” for users during his U.S. congressional testimony in April, but was otherwise vague on the subject. When asked if U.S. users would have the same rights Europeans have to object to the use of data, Zuckerberg said, “I’m not sure how we’re going to implement that yet.”
But segmenting EU customers from the rest of the world isn’t easy, especially for smaller companies without Facebook’s or Google’s technical prowess. “It might seem like a smart move, but in some cases, it’s more work,” said Larry Ponemon, founder of the privacy research firm Ponemon Institute.
The verdict reached Thursday is the latest twist in a legal battle that began in 2011. Apple contends Samsung wouldn’t have emerged as the world’s leading seller of smartphones if it hadn’t ripped off the technology powering the pioneering iPhone in developing a line of similar devices running on Google’s Android software.
Previous rulings had already determined that Samsung infringed on some of Apple’s patents, but the amount of damages owed has been hanging in legal limbo. Another jury convened for a 2012 trial had determined Samsung should pay Apple $1.05 billion, but U.S. District Judge Lucy Koh reduced that amount to $548 million.
The issue escalated to the U.S. Supreme Court, which determined in 2016 that a lower court needed to re-examine $399 million of the $548 million. That ruling was based on the concept that the damages shouldn’t be based on all the profits that the South Korean electronics giant rung up from products that copied the iPhone because its infringement may only have violated a few patents.
Apple had argued it was owed more than $1 billon while Samsung contended the $399 million should be slashed to $28 million. The revised damages figure represents a victory for Apple, even though it isn’t as much as the Cupertino, California, company had sought.
“Today’s decision flies in the face of a unanimous Supreme Court ruling in favor of Samsung on the scope of design patent damages,” Samsung said in a statement. “We will consider all options to obtain an outcome that does not hinder creativity and fair competition for all companies and consumers.”
An eight-person jury came up with the new amount following a one-week trial and four days of deliberation in a San Jose, California, federal courthouse.
Apple expressed gratitude to the jury for agreeing “that Samsung should pay for copying our products.”
“This case has always been about more than money,” a company statement said. “Apple ignited the smartphone revolution with iPhone, and it is a fact that Samsung blatantly copied our design.”