The day of reckoning is nearly here for E.U. businesses, and this could have consequences for American companies, too.
On Friday, May 25th, Europe's General Data Protection Regulation--otherwise known as GDPR--takes effect. The series of new laws, intended to protect E.U. citizens' digital rights, could have wide-reaching implications for tech companies including Facebook, Google, Amazon, and Twitter.
As part of the new rules, individuals will be able to ask companies what personal data they're holding on them, and insist that it be deleted. Companies, meanwhile, will need to ask for a user's consent before culling information it can then sell to digital marketers. Businesses will also need to disclose data breaches to the local authorities within a period of three days, or risk huge fines. Failure to comply with GDPR could result in penalties of 20 million euros or 4 percent of global revenue, whichever is greater.
Naturally, major tech companies such as Apple, Yahoo, and Spotify have invested time and money in updating or otherwise adapting their privacy settings; you likely already received updated privacy statements via email, for instance.
However, many small businesses say they don't have the resources to do the same. As a result, some businesses have gone so far as to shut down their European operations full stop, in anticipation that they won't be able to comply with the rules. Drawbridge, an advertising technology company and former Inc. 5000 honoree, will reportedly no longer operate across the pond, for instance. And earlier this month, the mobile marketer Verve announced it would be shutting down its European business and laying off around 15 employees. "We have decided that the regulatory environment is not favorable to our particular business model," a spokesperson for Verve told AdExchanger.
Even companies that don't operate in Europe may still need to act. Experts note that GDPR applies to E.U. citizens' data, whether or not the data was harvested in Europe. (For instance, a French citizen could file the equivalent of a class-action lawsuit in France against a company in New York City, if this person can prove the company misused his or her data.) Therefore, closing down operations--as Drawbridge and Verve have--doesn't necessarily exempt you from being sued.
Here are three other myths about GDPR, debunked:
1. GDPR only carries implications for big-data companies.
This is false. Although much of the attention around user privacy has focused on social networks and search engines, particularly in light of the Cambridge Analytica scandal earlier this year, there are hundreds of companies in sectors as varied as consumer products and healthcare for whom the GDPR rules could apply. Consider, for example, that automakers such as BMW and Volvo collect data on passengers, ranging from your location to how fast you drive and even your weight. Indeed, by 2021, 98 percent of new cars sold in the U.S. and Europe will be internet connected, according to global research firm Gartner. Healthcare companies that digitize things like medical records could similarly be caught in the crosshair, as, of course, would financial technology startups and banks.
2. GDPR rules will be enforced the same across the Eurozone.
The passage of GDPR rules is a win for privacy advocates, but it far from guarantees that sweeping change will occur overnight. There will likely be a series of class action lawsuits before various courts, affecting a myriad of companies. If those cases ultimately come before European Data Protection Board or the European Court of Justice in Luxembourg, however, that would pave the way for the rules to be implemented in the same way across the E.U. Those courts have wide jurisdictions, so once a precedent is set, it would affect businesses more broadly.
3. There are no workarounds for small businesses.
Many entrepreneurs concerned about paying crippling fines are turning to nascent services, such as GDPR Shield, that would block E.U.-based visitors from visiting a given site. Of course, as noted above, this doesn't necessarily exempt them from having E.U. customers, but it could prevent them from being audited in the interim.