How EU's Data Privacy Law Will Impact You

The EU's new General Data Protection Regulation or GDPR offers data protection for consumers and harsh penalties for violators. Here's what you need to know.

Although the Edward Snowden revelations of a US government surveillance program on citizens caused much consternation in the US they raised just as much ire in the European Union. That desire to see user data protected and not left at the whims of US corporations and intelligence agencies, is what's helped drive the implementation of the European Union's General Data Protection Regulation, a new piece regulation that could have far reaching consequences within the EU and beyond.

Designed to replace an aging data protection initiative implemented in 1995, the GDPR will not require individual state legislation, offering a single set of rules for all EU member states. The goal of the regulation is to give citizens back control over their data. In practice, this means forcing organizations to require more obvious opt-in methods of user data collection, as well as records of them giving that consent and easier to access ways to withdraw it.

That's vastly different from the near carte blanche access sites and companies have to users' data currently, and it could really shake up how companies operate within the EU.

In the long term this should mean that citizens of the EU have much greater control over their personal and professional information online and that their data should be more protected from breaches. In the short term though, this means that a lot of businesses are going to need to change the way they handle customer data and implement much greater safeguards for its capture and storage.

That's because this data protection law is actually going to have some teeth.

The GDPR introduces many changes to current data law, but the one that's stood out for a lot of people is the section on penalties. Sanctions begin with written warnings for "first and non-intentional non-compliance of regulations," but from there they stiffen very quickly.

Companies found deliberately not-informing customers of data collection, or found to be repeatedly mishandling it in any fashion, can be fined up to 20 million euros, or 4% of annual worldwide turnover or revenue, whichever is greater.

In the case of a company like Apple, for example, the maximum possible fine would be close to $10 billion. That's the kind of figure even an entity like Apple would feel.

In cases where smaller infringements are noted, the fines will be 10 million euros, or up to 2% of annual turnover or revenue, but even that is rather hefty. 

Fortunately for the many thousands of companies this regulation will impact, they do have some time to get their affairs in order. Although it has been adopted, the GDPR won't officially come into force until May 25, 2018.

That timeline does allow for some adjustment period for companies which operate within the EU, but it does raise some interesting questions about the UK's plans to leave the Union. It is unlikely to have completed its 'Brexit' by the time this regulation comes into play, and as a regulation, the GDPR does not require member state legislation to be applicable. That means companies will need to comply with GDPR within the UK just as elsewhere in the EU. That compliance requirement may change when Brexit is completed, but for the time being, it still must be followed.

This raises further questions about the UK's Investigatory Powers Bill, which the GDPR could effectively make illegal, and without such digital oversight, the UK's position within its Five Eyes spying network with other English speaking nations, could well change too.

Only time will tell, but it seems as if the tide may be turning against the idea of mass, digital data collection without oversight.