The European Union’s new data-protection rules are officially in effect. The General Data Protection Regulation (GDPR) is the world’s most stringent set of regulations to protect internet users’ online data, and its effects are reverberating far beyond Europe. In this post we examine the details of the GDPR, the circumstances that led to its adoption, and what it means going forward.

What is the GDPR?

The GDPR evolved from two important pieces of legislation. The Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, a set of recommendations endorsed by the United States and European Union, were adopted in September 1980. They were composed of eight principles designed to protect personal data and a person’s fundamental right to privacy. While non-binding and variable between each EU member state, it laid the philosophical foundation for future privacy laws.

The next set of regulations, the Data Protection Directive 95/46/EC, was adopted in October 1995. It attempted to harmonize the data protection laws across the EU, while clarifying rules about transfer of personal data to countries outside of the European Union. The directive established Data Protection Authorities (DPAs) in each member state, to oversee the implementation of the directive and serve as a regulatory body; third-party data transfers were allowed if those countries were deemed to have levels of protection comparable to the EU.

Because Directive 95/46/EC was just that – a directive – its codification in national law was left open to interpretation by each member state. The intervening years saw mass adoption of the internet and, by extension, a rapidly shifting landscape. This necessitated new, binding legislation.

The GDPR is spiritually similar to previous legislation but is more comprehensive and enforceable, reflecting modern technological realities and also leaving room for future innovation. It requires businesses to clearly detail how an individual’s data is being used and makes it more difficult to target advertising via personal information. Users can reduce the amount of data made available through their browsing activity, request that companies release data for them to review, and even call for it to be deleted. Non-compliance can result in fines upwards of $1 billion.

Privacy Activists vs. Silicon Valley

Tech giants are already feeling the effects of the legislation. A privacy advocacy group called NOYB (None of Your Business) filed multiple complaints soon after the law went into effect in France, Belgium, Germany, and Austria. The complaints allege that Facebook, Google, WhatsApp, and Instagram violated the new rules by not giving users control over their data. NOYB is asking regulators to assess fines in the billions of dollars – $4.3 billion against Alphabet, and $1.5 billion from Facebook, Instagram, and WhatsApp. Each represents the maximum penalty of roughly 4 percent of each company’s revenue in 2017.

Max Schrems, a 30-year-old Austrian, is the lawyer behind the claims. Schrems is well known in international data privacy circles for his work challenging Facebook’s data collection policies, as well as the Safe Harbor laws that allowed tech companies to store data on Europeans in the United States. He accuses the industry leaders of “fundamentally [trying] to ignore or redefine” the GDPR laws by forcing users to agree to data collection without being specific about the ways their data would be used. According to Schrems, all-or-nothing privacy policies (as the complaints characterize each company’s) are in violation of the GDPR’s provision that consent be customizable, giving users the option to share or not share specific types of data.

Silicon Valley maintains they have not done anything wrong, with spokespeople from Facebook and Google reaffirming each company’s commitment to complying with the GDPR. Facebook’s chief privacy officer, Erin Egan, issued a statement championing Facebook’s effort to clarify their policies, make privacy settings more available to users, and introducing tools to let its users access and potentially delete their personal information. Al Verney from Google claimed the company builds privacy tools into their products “from the very earliest stages” while reiterating their obligation to follow the laws.

Sizing Up the Implications

The early days of the new laws have encouraged a rush of activity from lawyers and activists eager to define how the rules are enforced. Opponents argue that the law could have outsized negative effects on smaller companies who lack the legal firepower of the world’s biggest tech companies, as well as potential price increases for consumers to offset losses in advertising revenue. Doomsday scenarios predict a Europe devoid of technological innovation as America’s leading companies refuse to do business there. Schrem and others argue the claims are ridiculous – they say companies with the size and global reach of Google or Facebook cannot stop serving large swaths of the world. But some American publications that depend on more-invasive strains of ad revenue have stopped catering to European markets, and a few smaller tech companies pulled out of Europe entirely, indicating that there will be at least some negative effects on businesses.

Ultimately, Schrem’s complaints revolve around the idea of choice – that tech giants need to give their users real options about how their data is harvested and used. Whether or not the fines are imposed remains to be seen, but the early rush of lawsuits makes clear that Silicon Valley needs to seriously consider the data privacy of its users as they operate around the world.