Beginning May 25, 2018, the European Union's General Data Privacy Regulation (GDPR) goes into effect, and it's a radical departure from American data privacy standards. The rule requires an explicit "opt-in" from every website visitor and covers all EU residents and citizens. Your enterprise must develop and maintain a whole new array of privacy protection systems to become and remain compliant with the new regulations.
The new rule protects the Personally Identifying Information (PII) of every person who is a citizen or resident of any of the EU's 28-member countries and affects any entity anywhere in the world that seeks to use that PII. By securing the individual's right to control their personal data, the GDPR prohibits entities that have access to that information to use it indiscriminately and/or for undisclosed purposes. Further, any entity that intends to collect PII for any purpose must give the subject sufficient notice of their intent and get their explicit consent to use the data in the context suggested in the notice.
At its core, the GDPR rests on a relatively simple premise - that each person has the fundamental right to privacy and to control what happens to information about them. PII is information related to a natural person that identifies that person, including not just obvious data, but also information about location (including a user's computer IP address) and any information related to their genetic, economic, health, or social identity that could identify them personally. Owning and controlling their data means that individuals have the right to determine what happens to that information, both immediately and over the course of time.
The rights conferred by the GDPR include:
While each of these rights is important, perhaps the most significant new protection is the "right to be forgotten." To invoke this right, a person can ask for deletion of their personal, no-longer-relevant information and the entity has up to 60 days to wipe that data from anywhere and everywhere it may reside across its entire data storage infrastructure.
Note - the individual has the right to determine that their data is no longer needed, not the company that possesses it, and can invoke their right to have their data erased from the entity's data banks even after they've consented to its use. Google and other Silicon Valley companies are fighting this mandate in the EU Court of Justice.
The new EU standard is a dramatic departure from how American companies typically treat the billions of bytes of data that they collect each day. In the United States, "data privacy" is fundamentally different from the human rights to privacy; data privacy is supported on a situational basis. American laws that do govern data privacy require companies that collect PII to layer in protections and safeguards only in certain situations, such as those in healthcare (governed by HIPAA), the financial sector (the GLBA and the FCRA) and the marketing industry (the TCPA, the TSR and CAN-SPAM, as examples).
Otherwise, for American corporations, there are no explicit data privacy protection mandates; you need only issue a notice informing consumers that you collect data and the purposes for which you use it, and allow those users to either opt-out of sharing their data, or implicitly consent to its use simply by navigating further into your website. After that point, the data belongs to the company collecting it; we have no comparable rights to "be forgotten," as those newly established by the GDPR.
Complying with the GDPR purports to pose significant challenges to how American companies define and understand data ownership, as well as the myriad conflicts between "business as usual" and the brave new world, yet to be clarified, legislated and litigated, of "information ownership."