*Updated on 10/16/2024
The European Union originally passed the General Data Protection Regulation (GDPR) in 2018. The most prominent GDPR ruling by the European Court of Justice was in May of 2023, fining Meta, Facebook’s parent company, €1.2 billion ($1.3 billion).
It was determined that Meta’s offense was as follows: “incorporating user content to use data for targeted advertising purposes within its term of service, thus forcing anyone using Facebook or Instagram to give up their data as a condition of using the platform.” To Meta, this process is known as “contractual necessity.” The DPC found this to be in violation of the EU GDPR.
What is GDPR (General Data Protection Regulation)?
So, why are news outlets keeping tabs on this story and why should we even care about it? Simply put, it impacts individuals and organizations, and more specifically, how organizations collect data on individuals.
To understand its impact, it’s important to understand what GDPR actually is.
Implemented by the EU in May 2018, the GDPR is a regulation designed to strengthen and unify data protection for all individuals within the EU. The goal is to give EU citizens more control over their personal data and how it’s collected, used, and shared by businesses. It applies to any business operating with the EU as well as any business outside of it that processes the personal data of EU citizens. If businesses don’t comply with GDPR, they may be fined up to 20 million euros or 4% of their annual turnover, whichever amount is greater.
Who Does GDPR Apply to?
Under the regulation, businesses are required to obtain explicit consent from individuals before collecting, using, or sharing their personal data for personalized advertising. This means that businesses must provide clear and detailed information about how the personal data collected will be used and individuals must take affirmative action to opt in to the collection and use of their data.
GDPR places specific obligations on businesses, such as the need to appoint a data protection officer, incorporate organizational and technical measures to protect personal data, and notify individuals and certain supervisory authorities of breaches.
The regulation also impacts the ability to gather relevant data on clients and prospects for marketing purposes. If consent to use their personal data is not provided, entities won’t be able to use it as part of their digital marketing strategy. As a result, marketers are maximizing "opt in" solutions to collect, use, and share data in an effort to personalize advertising experiences.
While compliance with GDPR may be challenging, it does bring a slew of benefits to businesses. Compliance helps build trust with customers, improves processes for data management, and reduces the risk of data breaches. It’s also more cost-efficient. GDPR compliance saves businesses from shelling out massive amounts of money for violations (i.e. Meta).
How Does GDPR Impact Individuals?
GDPR significantly impacts individuals in the EU by providing them with greater control over their personal data. They have the right to access, rectify, and delete data, the right to object to certain types of data processing, and the right to be informed of certain types of breaches. Individuals also have the right to both consent to and withdraw from businesses collecting and processing their data.
Additional benefits of GDPR on individuals include increased transparency as businesses are required to disclose their data collection and usage practices, the right to request their personal data be erased under certain circumstances, and the right to lodge a formal complaint with a supervisory authority.
Future Outlook for GDPR
Like most things, the future of GDPR in the EU is uncertain, but it’s likely that it will continue to play a key role in protecting personal data. Whether that’s increased enforcement efforts, changes to the regulation as technology continues to advance, or an extension of the regulation to countries operating outside of the EU to ensure consistency in data protection, it will be interesting to how all of this plays out in 2023 and beyond.
Interested in learning about consumers’ privacy in the US, and more specifically California? Check out our blog post titled, “CCPA & CPRA: What You Need to Know About Consumers’ Privacy.”
*The content herein is for informational purposes only and is not intended to be taken as legal advice. If you have any legal concerns, we encourage you to seek competent legal counsel for advice.