A new European data regulation that just a month ago seemed like an obscure piece of legislation is suddenly on the lips of everyone in the tech industry.
Already touted as “the most important change in data privacy regulation in two decades," the General Data Protection Regulation, or GDPR, goes into effect on May 25 — unintentionally good timing as it comes on the heels of a scandal that revealed that academic researchers had harvested the data of tens of millions of Facebook users and that data was allegedly misused by Cambridge Analytica, a data mining firm linked to Donald Trump's 2016 presidential campaign.
The revelation exposed the vulnerability of user data and shook the confidence of Facebook users, many of whom threatened to wipe out their accounts as part of a mass exodus #deletefacebook campaign.
With Facebook in full damage control, the incident brought fresh calls for stronger personal data protection to the forefront of national discourse in the United States.
Meanwhile, the 28 member states of the European Union are adopting a more hands-on regulatory approach to ensure that the private data of its citizens remains just that — private.
Approved on April 14, 2016, the new rules treat personal data protection as "a fundamental right" — a utopian concept for consumers that are used to 3,000-word terms of service agreements, automatic opt-ins and data breaches that lead to little in the way of corporate punishment.
Data transparency: Who, where and why
In a drastic shift in data transparency, the GDPR will give an individual the right to find out whether, where and for what purpose their personal data is being processed.
"Organizations, corporations and the government know too much about us, and what GDPR will do is provide controls that say, it’s fine that you know something, but you have to justify why you want to know it," said Seb Matthews, a data privacy consultant with U.K.-based extaCloud.
Under the GDPR, individuals are entitled to have their personal data erased or not disseminated further, including potentially halting third parties from processing the data. They can choose to move their data and can object to having it processed for direct marketing purposes.
The definition of "personal data" is also quite broad. It includes anything from an individual's name to their location to an online identifier, such as an IP address or browser cookies that can track web activity. An individual's physical, physiological, genetic, mental, economic, cultural or social identity is also protected.
If a data collector, whether a business or a government agency, wants to use this data, it will have to obtain consent in a clear and accessible way. No more convoluted legalese or fine print.
"You now have to have an extremely unambiguous, informed consent before the data is used," said Stuart Lacey, head of the customer data rights management company Trunomi, which provides GDPR-related technology and solutions.
"It has to be specific, immediate and clearly articulated in language that people can understand,” Lacey said.
Should personal data be breached, GDPR dictates that authorities have to be notified within 72 hours after a company becomes aware of the issue. That’s welcome news for people fed up with reading about companies that have not reacted to data breaches with the proper urgency.
Failure to comply with the GDPR also comes with a hefty penalty. Companies that violate the new rules can be fined up to 4 percent of their annual global turnover or 20 million euros (nearly $25 million), whichever is greater.
Matthews, who consults businesses on how to be ready for the GDPR, said the hefty fines will give the new rules some teeth.
"This ability to throw enormous fines -- that’s a whole different level of impact when organizations fail to justify their behavior," Matthews said.
He said this kind of "fear factor" is why previous legislation has not been very successful and created the need for the GDPR.
Would GDPR have stopped Cambridge Analytica?
The Cambridge Analytica scandal provides a practical example of how GDPR might look in action, particularly since experts who spoke to NBC News were divided over whether the new rules would have changed what happened.
“If you zoom away from the specifics of what Cambridge Analytica did, they had a data set that was for sale," Matthews said. "Things like that become very hard to do with GDPR in place. Simply justifying why you gathered that data would be very hard."
But Nigel Tozer, a GDPR expert with the data backup and recovery company Commvault, said GDPR won't help if users agree to allow their data to be harvested. About 270,000 users whose information was scraped by Cambridge Analytica had consented to having their data harvested, but the data of millions more were ill-obtained through Facebook friends connections, according to The New York Times.
"If I put my wallet with a stack of cash in the middle of the street because I didn’t think anybody would steal it and they did, it’s my fault,” Tozer said. “But if I gave it to someone to look after and said, ‘Hide it’ and they didn’t, then it’s a problem.
“What GDPR serves to do is make people more aware of what privacy is and what can happen to their data down the line,” he said.
Put simply, GDPR might stop another Cambridge Analytica situation, but only if users turn down requests to collect their data.
GDPR is not without its flaws. Experts admit the new rules are creating major headaches for smaller businesses, especially nonprofits, which are running into considerable expense trying to comply and avoid heavy penalties.
Many are spending hundreds of thousands of dollars on the software, infrastructure and human resources necessary to fulfill requests about personal data.
"The first thing we do when working with companies is try to find where people’s data is," said AJ Thompson, director at IT consultancy Northdoor, which has been helping businesses prepare for GDPR for the last two years. "There is information everywhere and that’s the hardest piece of this."
For many companies, there is a massive learning curve. But Thompson says GDPR is forcing them to think differently.
"It’s a bit like buying car insurance -- no one particularly likes buying car insurance until you have a crash,” Thompson said.
Experts say there is going to be a spectrum of businesses that will try to weasel their way out of complying, while others will try to be compliant to a minimal degree. Others will follow the spirit rather than the letter of the regulation.
There's also concern that GDPR will become a boogeyman for companies, which will spend money unnecessarily on compliance.
E.U. grown, globally known
Because the GDPR is an E.U.-wide regulation, all 28 member states, each with a different approach to data protection in the past, will now have to play by the same set of rules.
Companies outside the E.U. are not off the hook, however. Any company dealing with users in the E.U. will have to comply with the GDPR for those people — and that includes American companies.
Facebook’s response to GDPR has been closely watched, particularly after its recent scandal and CEO Mark Zuckerberg’s public comments about the regulations.
During his two-day grilling by members of Congress this month, Zuckerberg was asked if GDPR should be applied in the U.S.
“I think everyone in the world deserves good privacy protection,” Zuckerberg said, adding that he thinks it’s worth discussing whether something similar to GDPR should be applied in the U.S.
Zuckerberg said that for its part, Facebook is committed to rolling out the controls and affirmative consent required by E.U.’s GDPR, regardless of whether U.S. implements the exact same regulation in light of what he called “somewhat different sensibilities in the U.S.”
That claim appeared to be slightly contradicted when Facebook recently moved the legal governance of 1.5 billion users in Africa, Asia, Australia and Latin America out of Ireland and away from the GDPR’s reach.
Tozer agrees there are cultural differences between U.S. and Europe when it comes to how people view data privacy.
"People in Europe expect a greater degree of privacy," Tozer said, adding the Cambridge Analytica scandal afforded people in the U.S. "a view of what actually goes on with their personal data" and will likely make them crave GDPR-like protections down the line.
Lacey also expects the push for greater privacy protection in the U.S. to come not from the lawmakers but from the American public, who will choose to work with brands that respect their data and shun those that don't.
Matthews adds the panicked awareness that the Cambridge Analytica scandal has generated in the U.S. will likely help fuel interest in GDPR and what it has to offer in Europe.
"It gives this ability to show off to the rest of the world, and especially the U.S., that there is a way to do this," Matthews said. "That privacy is a possibility."