A flood of odd looking messages are swelling email boxes in the U.S., telling recipients that they have to take action – click a button, enter an email address, log on to an account – because of something called GDPR. That’s not something that was dreamed up by a Nigerian prince to funnel millions of dollars your way (but be careful – it is a golden opportunity for fraudsters to exploit complacency). It’s a new European Union online privacy rule that’s about to effect – the general data protection regulation, as it’s formally known.
The new regulation imposes strict data privacy requirements, including plain language notices and opt-in permission, on companies anywhere in the world…
The GDPR not only applies to organisations located within the E.U. but it will also apply to organisations located outside of the E.U. if they offer goods or services to, or monitor the behaviour of, E.U. data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
A U.S. company with only U.S. customers can ignore it, but since on the Internet, no one knows if you’re a dog or a European, the safe route is to accept the E.U. rule as the lowest common denominator and apply the required safeguards across the board.
That’s how the online world works. Legal borders exist, but you never know when you’re going to cross one. The U.S. congress can debate privacy rules all it wants, but the E.U. has effectively preempted it. Unless U.S. lawmakers want to raise the stakes and implement even tougher safeguards.
It’s a principle that’s worth keeping in mind as the California legislature considers enacting its own network neutrality laws. If the E.U. – counted as one, the world’s second largest economy – can write default rules for the Internet, then maybe California, the fifth largest economy, can too.