Europe's GDPR a 'Hard Reality Check' for Facebook and Google

May 25, 2018

By Alisha Haridasani

As soon as Europe's sweeping data privacy policy went into effect, the world's biggest tech firms were hit with new lawsuits Friday challenging the companies commitment to protecting their users' personal information.

An Austrian privacy activist filed lawsuits against Facebook, Google, Instagram, and WhatsApp with different European regulators just as the new General Data Protection Regulation (GDPR) went into effect at midnight.

"This is a very hard reality check for companies, not just abroad, but in the U.S.," said Andrew Rossow, an lawyer specializing in internet law and a contributor to Forbes.

The lawsuits signal to tech companies that the bare minimum of protection is not going to be enough, and EU regulators will diligently enforce the new rules, Rossow said. Asking users to simply agree to terms of service, for example, "is not going to fly."

What is the GDPR?

The policy, passed by the European Parliament in 2016, seeks to protect all personal data, including "names, identification numbers, your health information, your gender, your orientation, your sexuality," said Rossow.

Websites are required to explicitly ask users if their personal data can be collected, telling them how it will be used, and giving them the option to delete their data.

The GDPR also forces companies to present their updated privacy policies to users in clear and simple language, not legalese. And they must inform users within 72 hours of a data breach.

How does the policy affect you?

The policy is intended to protect European Union citizens, but the global nature of the internet means it applies to all companies processing data of European citizens “regardless of the company’s location,” according to the EU's website. That’s why you’ve been inundated by emails from online services informing you of their new privacy policies.

In effect, the GDPR requirements have been adopted around the world, and may lead to new laws in the United States, said Rossow.

"I think what the GDPR is doing is getting us on that right path even if we're not in the EU or the U.K.," he said.

The GDPR also applies to how companies use the data they are allowed to collect, which means it could affect how Facebook and Google sell online advertising in Europe. The restrictions may end up getting rid of those targeted ads that follow you around the internet after you've searched for a new pair of shoes or a blender.

Will GDPR work?

The policy does have strong incentives for companies to comply: if they are found to be in violation, they can be charged up to 4 percent of their global revenue.

The lawsuit against Facebook and Google, for example, could result in almost $9 billion in fines.

For the full interview, click here.