As of 25 May 2018, the citizens of all 28 European Union nations are protected by new privacy laws known as the General Data Protection Regulation (GDPR). The first and most noticeable consequence of GDPR was the glut of emails from companies who we had previously given our details to, asking us whether they could continue to send us messages and use data regarding us. From airlines to family-run business and even sole traders, GDPR has forced us all to undergo profound changes.
What has changed
The EU regulation has introduced or reinforced measures to protect internet users, encompassing things like the safeguarding of children, authorisation for data procession, the right to be forgotten, withdrawal of consent and fines:
- Children who wish to use online services now require authorisation from their parents up until the age of 16 (though the limit is 13 in some countries).
- The way in which we grant our consent for our data to be used has changed. Now, requests to use our personal data must be expressed clearly and accompanied by various information, including the contact details of the person in charge of data protection.
- Right to be forgotten: if personal data is used illegally, we can now request that it be destroyed. This regulation also applies to search engines.
- Withdrawal of consent: we can withdraw our consent at any time by contacting the person in charge of data processing.
- Complaints: in the event that we think our rights have been violated, we can make a complaint to the national authorities, who will be forced to investigate and respond within three months.
- Fines: companies responsible for violating the regulations may be fined up to 4% of their revenue, regardless of where their legal headquarters are based.
The spirit of the new regulations
According to EU Commissioner for Justice Vera Jourova, the aim of the regulations is to avoid a repeat of scandals such as the Facebook-Cambridge Analytica affair or – at the very least – ensure that violations no longer go unpunished thanks to the “strong deterrent” posed by GDPR, which includes harsher sanctions for “culpable” companies.
In Italy, the regulations have been fully operational since August, when the government approved a decree to incorporate them into national law. The Privacy Authority has been given a central role in the first stage of application for the new regulations. That said, in the first eight months at least, it must acknowledge the fact that we are in the initial stage and avoid being overly strict in its sanctions to companies who are late in implementing the changes.
This softer, more gradual approach will be adopted primarily for SMEs, for which the Privacy Authority must issue simplified, tailored guidelines on how to adapt to the regulations. In Italy, particular attention has been given to the application of GDPR in sensitive sectors such as labour law and healthcare, though the biggest difference between Italy and the European context is the criminal sanctions that remain a part of our privacy laws. There will also be additional protection for whistle-blowers who report and make public illegal activities undertaken by companies or institutions.
The big players
Just a few months since the introduction of new regulations, all eyes are on how internet giants such as Facebook, Google, Apple, Twitter and Microsoft are going to ensure they adhere to the rules. The biggest question marks surround the use of the personal data of EU citizens, with that threat of a fine worth 4% of annual revenue looming if the companies fail to comply.
- Facebook: still reeling from the Cambridge Analytica scandal, the social network updated its privacy checks in March in order to make them easier to understand and identify. Facebook will ask European users for their consent for the use of facial recognition, a technology used in large parts of the world, but not in the EU or Canada (this will not be possible for those under the age of 18). Parents will be able to have more control over adverts, opinions and personal data for users under the age of 15.
- Microsoft: the company is committed to granting all users (including those in the USA and Asia) the same rights regarding privacy and data protection as EU citizens. Users will be able to log into their personal data and correct errors, export the information and make deletions. Users will also be able to oppose the use of their data for marketing and other purposes.
- Apple: the Cupertino-based company already had a guarantee that user data would remain on their device or by encrypted and stored on the cloud, so the main focus has been on ensuring information is clear and improving the way accounts are managed.
- Twitter: the social network is committing to processing user data in accordance with EU regulations and has invited users to read its privacy information before continuing to use its advertising services, following the introduction of GDPR.