What Will the EU’s GDPR Mean for the Internet?

With the implementation date (May 25) for the European Union’s (EU’s) new General Data Protection Regulation (GDPR) right around the proverbial corner, a lot of people are wondering how this rule might affect the internet that they know and love.

For the average person, not much will change. The rules that are outlined in the Regulation specifically apply to businesses, and have a specific exclusion for “a natural person in the course of a purely personal or household activity.” So, as a member of the general public, you won’t have to worry about trying to maintain compliance with some new set of web rules.

However, you might notice that some of the websites you frequent may change slightly. In fact, you may have noticed that some of the more alert and prepared companies whose websites you visit may have already started enacting a few changes. So, what do these changes have to do with the new EU data protection regulation? And, how will GDPR affect your internet browsing experience?

Expect to See a Lot of Informational Pop-Ups and Email Reminders

The new Regulation stipulates a set of specific rights for “data subjects” (that’s you). One of those rights is “Transparent information, communication and modalities for the exercise of the rights of the data subject.” To paraphrase the content of the rule, you have the right to be duly informed of your rights as a “data subject” online when you interact with a business and they collect your information—sort of like how cops have to read the Miranda act to suspects when making an arrest.

A lot of websites that collect your personal information may start to send you pop-up notifications (or emails, if they have your email address on file) that tell you that you can do the following:

• Be Informed When Your Personal Data is Being Collected. Article 13 of GDPR specifically requires businesses to notify people of when their data is being collected. Additionally, this applies whether they collect the data from you directly or if they obtain it from a third party. If data is collected via a third party, they need to tell you who they receive the data from and provide contact information.
  
  
• Access the Data That is Being Stored About You. Article 15 of GDPR requires businesses to provide data subjects access to the data that is being stored about them. You also should be informed of why the data is being stored.
  
  
• Submit Corrections to Incorrect Data. If the data being stored is erroneous in some way, you can ask the business storing the data to make a correction. You also have the right to be notified when the data has been rectified.
  
  
• Ask the Company to Delete Any Data About You. Article 17 of the rules specifies that you have the right to have your data erased “without undue delay” in specific circumstances. Keep in mind that there are limits to this, so it isn’t guaranteed that your data will be erased upon request. The company should tell you if and when the data is deleted.
  
  
• Restrict the Processing of Your Data. Aside from erasure, GDPR has a provision that allows you to limit the company’s ability to process or share your data without your express permission.
  
  
• Object to the Collection of Your Data. Under GDPR, you can object to having your data collected by a company. If you object, the “controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.” Basically, you can issue a cease-and-desist, but there are times where the company can ignore it if they have a compelling legal reason to do so.

That’s a lot of rights—and these are heavily paraphrased definitions. There is a lot more to the text of each rule than what is recorded above.

If you have some kind of subscription to a website that sends out a monthly newsletter, you may see—or have already received—an email asking if you’d like to stay subscribed with a link to a page asking for personal information and a bit of text explaining what the personal information is used for.

Will Every Website Start Doing This?

No. Not every website will have to make these changes—just the ones that do business with or handle the personal data of EU citizens. So, you might not see big notifications from every business that you follow online.

However, odds are that most of the major companies that you interact with online—the ones that serve regions outside the U.S.—will start making some changes to their terms of use and sending out reminders like the ones mentioned earlier.

How Will My Data Privacy Change?

The rules outlined in GDPR provide a lot of power to you as a “data subject” when it comes to how your personal data is stored, transmitted, and used. Not only do you have to be notified when your data is collected, but how that data is to be used. If you don’t like how it will be used, you can object.

However, the thing is that GDPR only applies to companies that do business with or handle the data of EU citizens. Now, considering the increasingly globalized nature of business, that’s going to be a lot of companies. But, this is still an EU law that’s designed for the benefit of EU citizens.

Odds are, local businesses that you deal with might not change much.

Overall, GDPR won’t affect your internet browsing experience too much—at least not directly. You may see some more pop-ups in the coming months trying to educate you about your rights as a data subject, but GDPR won’t likely affect much else for the average person. Now, the impacts of GDPR on a business are likely to be much heavier. To learn more about those impacts, check out this blog on What GDPR Means for Businesses, or read the General Data Protection Regulation Guide at the link below: