Europe’s tough new privacy law, the General Data Protection Regulation (GDPR), came into force today. It provides the strongest protections the world has ever seen for customer and user data.
Even Apple – a company famed for its respect for customer privacy – had to strengthen its safeguards in order to meet the extremely high standards set by GDPR. But while the law only applies to European Union citizens, Apple and some other companies have said that they plan to roll out the same privacy standards worldwide …
The reason is likely a mix of three factors. First, pragmatism. It gets complicated and messy if Apple has to apply different data-handling processes in different countries – especially given that GDPR applies to EU citizens anywhere in the world. So if an EU citizen moves to the USA without losing their existing citizenship, Apple has apply GDPR-standard protections to their data. Even if they switch to a US Apple ID. That minefield means it’s far more practical to apply the same protections worldwide.
Second, PR. The world can now see exactly how careful countries are required to be when it comes to handling the personal data of EU citizens. It would be natural for people in other countries to ask why Apple feels their data should be treated with less respect.
Third, values. Respecting customer privacy is already a core value for Apple. GDPR is the new gold standard for privacy, and I’d expect Apple to want to live up to that standard.
What protections does GDPR offer?
The GDPR has no fewer than 99 separate articles, but here are the some of the key requirements for companies who want to store and process your personal data …
- There must be a specific, lawful reason to process the data
The law sets out six acceptable reasons to hold your data. Effectively that comes down to either being able to show a reasonable basis for needing to do so (for example, in order to deliver something you have ordered), or having your consent.
When consent is the reason, the law gets very specific. For example, a company can’t add your email address to its database and then rely on offering an unsubscribe link. It must have asked your permission before storing your email. And it can’t pre-check a box and ask you to uncheck it if you want to opt out: everything has to be on an opt-in basis.
- Personal data must be encrypted
Even where you have agreed to allow a company to store your personal data, that data must be stored in either an anonymized or encrypted form. This is to ensure that, if the company is hacked, your data is still safe. Also, anyone within the company accessing your data must have a lawful reason to do so.
- You have a right to a copy of your data
You have a right to see all the data a company holds on you. No charge can be made for releasing this data (the first time you ask for it – a company can make an admin charge if you ask again later).
Apple recently met this obligation by providing a new privacy portal where EU citizens, along with those in the wider European customs union, can download a copy of all of the data holds on them.
- You can ask for your data to be deleted
Previously, if you decided you no longer wanted your Apple ID, it was ok for Apple to disable it but then hold onto all your data so that it could re-enable it at a later date if you changed your mind. From today, you can insist that all your data is permanently deleted. Apple meets this obligation by now offering you the choice of either deactivating or deleting your account.
What happens if a company breaches GDPR requirements?
The law has real teeth. For the most serious breaches of GDPR, the maximum fine is 4% of the annual worldwide turnover of the company!
Even the less serious category allows for a fine of up to 2% of worldwide turnover. This is why we have seen companies scrambling to ensure compliance.
Google, Facebook and others have already been accused of breaking the law, on day one and hit with billions of dollars worth of lawsuits – though the claim seems to me to be a stretch.
Why have some companies asked me to opt-in to emails, and others just offered an unsubscribe option?
Anyone in the EU will have received a lot of GDPR-related emails from companies. Some of these state that they will never be allowed to email you again unless you click a button to opt-in, while others say nothing will change, and simply have a prominent link to unsubscribe.
However, if they didn’t meet these standards at the time they added you to their database, they have to specifically ask you to opt-in. You shouldn’t get any more of those as, from today, it would be illegal for those companies to email you even if it’s to invite you to opt-in.
When will US citizens get the same rights?
Apple has said that it will offer the same protections to users in other countries, but hasn’t yet specified a deadline for this. Most other companies who have said the same thing have also been similarly vague on timing.
Many other companies, like Facebook, have issued a weaker statement, saying that they will offer similar protections to those in other countries, but haven’t promised GDPR standards.
My experience so far
Many of my fellow Brits have been complaining about all the GDPR emails they’ve been receiving, but personally I’ve welcomed them. I’ve used it as an opportunity to review which email lists I want to remain on, and which I don’t.
One thing that won’t change – the number of PR pitches I receive. Another lawful reason to email is what is known as ‘legitimate interest.’ Although this comes down to a subjective judgement in the end, if a company is emailing me to pitch a product or service, and it has reason to believe that it is relevant to me, then it can use the ‘legitimate interest’ reason to email me. Additionally, emails to business, rather than individuals, are exempt.
Would you like to see US companies commit to GDPR standards? Please take our poll, and share your thoughts in the comments.