KUNM

What The European Union's New Online Privacy Law Means For The U.S.

Apr 16, 2018
Originally published on April 17, 2018 12:40 pm
Copyright 2018 NPR. To see more, visit http://www.npr.org/.

ARI SHAPIRO, HOST:

Lawmakers who want to protect online privacy are looking overseas for models. Here are some of the comments that came out of last week's hearings with Facebook CEO Mark Zuckerberg.

(SOUNDBITE OF ARCHIVED RECORDING)

LINDSEY GRAHAM: Do you think the Europeans have it right?

(SOUNDBITE OF ARCHIVED RECORDING)

SCOTT PETERS: I want you to elaborate on what the Europeans got right and what you think they got wrong.

(SOUNDBITE OF ARCHIVED RECORDING)

MARIA CANTWELL: Do you believe the European regulations should be applied here in the U.S.?

SHAPIRO: That was Republican Senator Lindsey Graham, followed by Democratic Congressman Scott Peters and Democratic Senator Maria Cantwell. A big online privacy law goes into effect next month in Europe. And we're going to look at what it does and what it could mean for this country in this week's All Tech Considered.

(SOUNDBITE OF MUSIC)

SHAPIRO: Estelle Masse is an advocate for stronger online privacy. She's with the nonprofit group Access Now and joins us from Brussels. Welcome to the program.

ESTELLE MASSE: Thank you. Thank you for having me.

SHAPIRO: You urged lawmakers to pass this regulation, officially called the General Data Protection Regulation or GDPR. What gave them the political will to do it? Was there a story about personal data falling into the wrong hands similar to the Cambridge Analytica affair?

MASSE: So in the EU, we have had a data protection laws since 1995. So in reality, this concept is not anything new for us. However, that law has been lacking enforcement for many, many years. So what motivated EU lawmakers to adopt the General Data Protection Regulation was the fact that - despite the fact that we had a law, there were still many issues on misuse of data. And we were seeing also an increased number of data breaches. Therefore, there was a great need to adapt the model that we had for offline privacy to the online world.

SHAPIRO: I know one big part of this new regulation is having people consent to have their information shared - opting in. We'll hear more about that in a moment. What else do you especially like about this new set of regulations?

MASSE: So one important point of the GDPR was to bring it to the digital age. So one of the change that we can see in the law is that there is new protection around the use of data for what we call big data analytics and potentially artificial intelligence, which, for instance, provide rights to the users to object - which means refuse - the use of their data when it's only done - conducted through algorithm. And we're also gaining a right to explanation, which means that we will be able to receive normally information about the logic used by algorithm when they're applied to make a decision about us. We also gain a new effective right to information. And this right, for instance, requires terms of service to be given to people in clear and plain language. So it means that it can no longer be hundreds of pages of legalese text where you would need a lawyer to help, you know, if you really want to consent to that use of data, for instance.

SHAPIRO: Were the things that you wanted to be included in this regulation that you couldn't persuade lawmakers to do?

MASSE: Right. So the regulation was one of the most lobbied piece of legislation against. It was being negotiated for five years, which is already quite unusual for EU processes. It can take a long time, but that was really huge. There have been more than 3,000 amendment on the law from the European Parliament...

SHAPIRO: More than 3,000?

MASSE: Right. It was really a lot of work. And we're not entirely satisfied with what's in there. However, it's a great improvement from the previous law. And it's also a great basis for the use of data in the digital age.

SHAPIRO: What will happen to companies that don't comply with these regulations? What punishment will there be?

MASSE: So there are different layers of punishment based on the type of violation you're doing. The most serious threats that a company can have in case of serious and repeated violation would be a fine of 4 percent of their worldwide turnover. And for violation of other rights, it could be a fine of 1 percent.

SHAPIRO: I don't know what 1 percent or 4 percent of Facebook's annual net profit is, but I can imagine the number is not insignificant.

MASSE: Right. It will be pretty large. And the whole point was that for the fine to be dissuasive enough so that the law would be complied with, which was an issue with the previous law, for instance, because the highest fine under the previous law was 150,000 euros, which if I remember correctly, I think Google makes in like less than a nanosecond. So it would have been pretty easy for them to budget it.

SHAPIRO: Estelle Masse, thank you so much for talking with us today.

MASSE: Thank you very much.

SHAPIRO: She's a senior policy analyst for Access Now, a nonprofit international organization working to protect human rights in the digital era, speaking with us from Brussels. Transcript provided by NPR, Copyright NPR.