GDPR: the new data legislation in Europe

25/05/18

During the last few weeks you should have received several emails about updates to privacy and usage policies. The reason for this is GDPR, new European legislation that aims to ensure more privacy for European users, but that should have implications practically all over the world, including in Brazil.

GDPR stands for General Data Protection Regulation or, in good Portuguese, General Data Protection Regulation. The law was passed by the European Parliament in April 2016, after four years of debate and construction. It took effect on May 25, 2018, creating new rules for managing user data in internet companies.

The general idea is to ensure more transparency, security and privacy in relation to the collection and maintenance of private data. The regulation applies not only to European companies, but also to all companies offering their services in Europe. As the law comes into effect today and will impact several companies and users, it is worth checking more about what is, what changes and what can happen to those who fail to comply with the new regulations.

8 major changes

In its official page, the GDPR lists all changes that come to valid from May 25.

Here is a short summary with the eight central points of the new legislation:

1. Explicit consent

From now on, the collection of private data as well as the use of this information is only allowed after the explicit consent of the users.

2. Notification of leaks

Companies have 72 hours to notify users of any data leakage that could result in compromising individual rights and freedoms.

3. Right to access

Virtual service users may require companies to report what kind of data they have about them, where the information is stored, and what purpose the collection is made for. Companies are obliged to supply a digital copy of this data free of charge.

4. Right to data exclusion

In some cases, people may request the complete removal of their data from the internet. Here, however, cases in which the maintenance of the data is considered to be of public interest are excluded.

5. Data portability

Just as it is possible to change the phone number from one company to another without prejudice, data in Europe can also be moved smoothly. Companies must provide the user with a copy “in a machine-readable and common format” of their information, according to the law.

6. Privacy from conception

The concept of privacy is old, but it becomes law for the first time with GDPR. Also known by the English term “privacy by design,” it determinates what privacy-driven features should be included from the beginning of a system development.

7. Direct and simple language

Businesses are also required to more clearly and objectively expose their usage and privacy guidelines to users – that’s one reason many of them have rewritten part of their policies and notified you by email.

8. Heavy fines

Any company under the jurisdiction of GDPR that violates the new law may be fined up to 4% of its annual revenue or $ 20 million, whichever is greater.

Noncompliance

With the law in force for only a few hours, irregularities have been reported that would have been committed by some of the biggest technology companies used today: Facebook, Google, WhatsApp and Instagram.

According to the European non-profit organization Noyb, which deals with consumer rights, the companies cited would be forcing users to agree to the new terms of service, going in disagreement with the new law which says that such consent should be freely chosen by the platform user.

In Brazil, some details implemented by GDPR are already covered by individual laws, but it is still far from universal and comprehensive legislation on the subject.

Sources: TecMundo and Noyb.