In May 2018, the General Data Protection Regulation (GDPR) went into effect in the European Union (EU). The GDPR gives consumers in the EU greater control over their personal data and how it is used. Time reports that, “corporations need to explicitly ask if they can collect your data, they’re required to answer if you inquire what that data is used for, and they must give you the right to permanently delete that information. Companies will also be required to disclose now ubiquitous data breaches within 72 hours.”
The EU’s Data Protection Directive currently defines personal data as, “any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” The new definition under GDPR will include online identifiers, such as an IP address, as personal data. GDPR also refers to “sensitive personal data” which includes genetic and biometric data.
GDPR applies to any organization which processes and holds the personal data of those residing in the EU, even if the organization is not located in the EU. Although it applies only to data pertaining to those in the EU, many companies are making changes to their privacy protections worldwide and consumers around the world were flooded with notices of changes to privacy policies in the weeks leading up to GDPR implementation. Although privacy policies may have been modified for all users, only those in the EU have legal recourse for infractions under GDPR.
There is currently no law comparable to GDPR in the United States, although several states are considering similar legislation. According to Engadget, any new US law is unlikely to be the same as Europe’s GDPR. Although new US regulations may give consumers more control over their data, provisions such as the “right to be forgotten” may conflict with US laws.
With all of the attention being paid to privacy and data security, there is no doubt that we will see additional regulations in the US, even though the specifics of those regulations are not yet known.