A new sheriff is coming to the Internet. Only this enforcer isn’t riding in from Washington or Beacon Hill, but from Brussels.
On Friday, the European Union starts enforcing its new law on the privacy rights of Internet users, the General Data Protection Regulation, or GDPR. Already, its effect has been felt across the pond, as US residents are bombarded with e-mails about the measure from companies that do electronic business in the 28-nation European community.
And the GDPR may become a de facto worldwide benchmark, if companies decide it’s cheaper to apply a single standard to their customers in non-euro countries. That could reduce the risk that US consumers will have their Social Security numbers, addresses, and other sensitive data lost, stolen, or abused.
For instance, had the GDPR standards been in place, Facebook would have had to ask 87 million of its users before sharing their information with Cambridge Analytica, the British firm that tried to use the data on behalf of the Trump campaign.
“What this means at a macro level is that European legislators have decided that data privacy is as important as national security,” said Mark Barnes, an attorney at Ropes & Gray who has followed the development of the GDPR.
Companies and other organizations must tell consumers what personal data they plan to collect and what they will do with it. They also have to say how long they plan to hold the data and, if they plan to share it, with whom. Consumers also have the right to demand that companies delete information they hold about them.
The notifications must be specific and easy to understand. The cost of not protecting data is staggering: violating the more crucial provisions, such as collecting someone’s personal information without consent, or sending it to a third party without consent, could trigger fines of $24 million or 4 percent of a company’s revenue from the previous year, whichever is higher.
Already, many companies that maintain e-mail lists are asking millions of recipients to confirm that they can retain those consumers’ e-mail addresses and continue to send them messages. Recipients who don’t reply are dropped from the mailing lists. While the sudden flood of “Mother, may I?” e-mails can be a nuisance, they are a handy way to stop receiving digital newsletters and other notices that consumers may no longer read.
The GDPR covers every organization and business that has collected sensitive information on Europeans, regardless of where those operations are located — even the smallest e-commerce company in Massachusetts, if it has customers in Berlin or Paris.
For local companies with a big exposure to Europe, complying with the new law can be costly and confusing.
“This is a huge administrative burden, and it has no upside,” said Robert Glazer, the founder of Boston-based Acceleration Partners, an online marketing company with clients in the European Union.
The United States does deserve some credit for the EU crackdown. In 2012, when European governments first announced a plan to upgrade the EU’s 1995 privacy law, they were worried about the global dominance of Facebook, Google, and Amazon, which hold sensitive personal data on millions of Europeans. The subsequent revelations of intrusive digital spying by the US National Security Agency only strengthened Europeans’ resolve to protect the privacy of citizens.
The GDPR also lets the Europeans demand that a company delete information it has collected about them — the controversial “right to be forgotten,” which has been upheld by European courts.
For instance, a British court recently ordered Google to expunge search results about a man convicted of a crime about 10 years ago. Meanwhile, Google is appealing a ruling in France that requires it to delete similar information from all of its computers worldwide, arguing that it poses a threat to freedom of expression around the globe.
Under the GDPR, other US companies could face similar demands from European residents.
Complying with this and other rules won’t be easy. For instance, companies are liable for the security of data they share with third parties, such as advertisers — if they even know to whom they have given the data, that is.
A 2017 survey of 625 companies by the research organization Ponemon Institute found that 57 percent didn’t know all the third parties that receive their customers’ data, and 82 percent didn’t know if those third parties then share that data with yet more firms. Under the GDPR, this has to change, as companies must now also list every other firm that used its data.
Boston-based Iron Mountain stores massive quantities of data for companies around the world. It has long done business in Europe and believes it’s ready for the GDPR, because it was already in compliance with the 1995 EU privacy law.
But Michael Zurcher, global privacy officer for Iron Mountain, suggested that many other companies have barely begun to think about the challenges of compliance. “I think about 50 percent are ready,” he said, “and about 50 percent are looking up like a deer in the headlights and saying, ‘What is GDPR?’ ”Hiawatha Bray can be reached at firstname.lastname@example.org. Follow him on Twitter @GlobeTechLab.