We’ve been waiting years for its arrival, holding our breath in nervous anticipation—and finally, on May 25, the world will experience it. But enough about the new Star Wars movie. The same day that “Solo” lands in theaters, another powerful force will make itself felt across the European Union and beyond: the GDPR. For two years, Europeans have been preparing for the General Data Protection Regulation, which is better known by its acronym. It goes into effect in the EU on May 25.
If the GDPR sounds alien to you, you’re not alone. But in truth, it’s far less dramatic than the adventures of Han and Chewy.
The GDPR legislation, approved in April 2016, creates new rules to govern how companies doing business in the EU can use consumers’ data. In addition to turning over more control of their data to consumers, the legislation aims to establish more uniformity in privacy rules throughout the EU.
Under GDPR rules, companies may no longer present consumers with byzantine consent agreements that roll up a host of statements about what they can do with their information. Instead, companies must break them up into individual consent agreements. The process for withdrawing consent should be simple, according to the new rules.
Other GDPR requirements cover transparency concerns, such as enabling consumers to access personal data being stored by companies. Punishments for violating the GDPR laws could be steep: A fine of up to 4 percent of a company’s annual revenue or $24.6 million, whichever is greater.
Coming at a time when U.S.-based social media giants like Facebook are taking fire for their perceived facilitation of Russia’s campaign to influence the 2016 presidential race, the advent of GDPR raises the question of whether a similar regulatory regime is in store in the United States. Sens. Edward J. Markey (D-MA) and Richard Blumenthal (D-CT) introduced a bill in April intended to create privacy safeguards for the customers of online service providers. A separate bill introduced in April by Sens. Amy Klobuchar (D-MN) and John Kennedy (R-LA) would force companies to inform users that their data is being collected and identify third parties with access to their information.
Between continued and rampant identity theft, data breaches, and nefarious foreign activities, the likelihood of Americans seeing GDPR-like measures in the near future seems high. Even if Congress doesn’t take action, the Googles and Facebooks of the world understand that enhanced privacy measures are a must in the eyes of consumers.
In fact, complying with GDPR likely gives many U.S. companies a head start on where the world of data security is heading.