Updated May 25, 2018 - Technology

A new era in global data privacy begins today

Illustration: Sarah Grillo/Axios

The emails cluttering your inbox this past week with privacy settings updates are happening for a reason: A sweeping new European data privacy law goes into effect today that is having a profound impact on American businesses.

Why it matters: The General Data Protection Regulation (GDPR), which the European Commission passed more than two years ago, was at first largely ignored by U.S. companies and regulators. But it's now becoming the global standard for how businesses mine and use consumer data, in part because of recent data breaches and scandals, like Cambridge Analytica's misuse of Facebook data.

The big picture: American companies are bracing for the market impact of the new privacy standards, while Europeans are celebrating them as a part of a years-long push to better protect citizen's privacy.

How we got here: Europe's data privacy push stems from cultural trends, dating back to World War II and the Holocaust, that favor individual privacy over government or corporate powers.

  • Specifically, laws under the Nazi regime worked to strip the privacy of Jewish people to undermine their businesses and seize their wealth, like requiring Jews to register their property.
  • As a result of these atrocities, fear of government and corporate abuse of personal data is widespread in Germany, and is reflected in cultural norms. For example, only 37% of Germans use social media but 86% have internet access, according to Pew Research Center.

What it means for U.S. consumers: You'll get many more notifications from companies with details about how they're using your data, and direct requests to share your data with third parties or partners.

  • When you sign up for a service, you typically provide your name and email address, and maybe a phone number. But modern companies know much more than that about you: They track how you interact with their websites and platforms, how often you click on certain things, and where you go on the web afterward.
  • More visibility: With GDPR in place, you can now access that data to see what, exactly, different services and companies know about you.
  • In the U.S., it's a sea change for consumer privacy, said Justin Antonipillai, CEO of Wirewheel.io, which helps companies comply with the new rules. "Understanding how you're interacting with these companies has a chance to change how people think about their privacy."

What it means for businesses: Europeans tend to favor individuals when it comes to data ownership, while Americans tend to favor companies. As a result, we have let data-driven business in the U.S., like Google and Facebook, grow to become some of the biggest economic powerhouses in the world by selling consumer data to marketers.

  • The new European law will hinder that practice dramatically, by requiring that companies have a lawful basis for processing personal data. The rules also streamline data collection practices, making it harder for sketchy data vendors to collect data from users in an obscure fashion.
  • Companies around the world are spending millions of dollars to comply, which is creating a new market for privacy consulting. Non-compliance could result in daily fines of €20 million or 4% of global annual revenue in the prior year, meaning that if these companies don't get their data compliance practices together, it could be devastating to their businesses.
  • Compliance with the new rules is already being baked into business arrangements. For example, before establishing a relationship with a third party, many companies are contractually requiring partners to certify that they are GDPR compliant.

Big vs. small: Some of the biggest U.S. tech firms have the most to lose because they collect the most data, but they are also the most likely to be able to afford compliance measures. (Microsoft, for example, has hired 300 engineers to handle the job.)

  • Small businesses, meanwhile, worry that the law, which was written somewhat vaguely to address broad use cases, will have an unintended effect of strengthening some of the data powerhouses that have the money to pay for compliance measures, while strangling smaller businesses that don't.
  • In an interview with Axios, U.K. Secretary for digital, culture, media and sport Matt Hancock suggested regulators (at least within the UK) are willing to be flexible with enforcement early in the process for small businesses, and that they are more focused on cracking down on companies collecting data for nefarious purposes.
Go deeper