New EU Regulations You Keep Hearing About at Zuckerberg Hearings Explained

Social media giant will implement data privacy requirements worldwide, Facebook CEO says

Facebook CEO Mark Zuckerberg testifies before a House Energy and Commerce Committee in the Rayburn Building on the protection of user data. The European Union’s new standards on data privacy start affecting Facebook next month. (Tom Williams/CQ Roll Call)

Members of Congress keep asking Facebook CEO Mark Zuckerberg about European Union regulations that will affect his company and it’s billions of users. But what’s in the new rules?

Zuckerberg said data privacy restrictions from these regulations will be implemented worldwide, beginning when the European Union’s General Data Protection Regulation goes into effect this May.

This means all Facebook users are going to see a few changes next month. (Europeans will also see changes on other services that collect user data for advertising, such as Google and Twitter.)

Here’s what you should know about the impending changes to European law that will have effects worldwide and could set the tone for potential U.S. regulations being floated:

Making terms of service understandable

The GDPR requires companies make terms and conditions easier to read and comprehend. It also requires these legal forms to clearly ask for consent to access users’ personal data, instead of burying the agreement in legalese and long documents that most users just click “accept” on without reading. Zuckerberg said in yesterday’s hearing that soon, every user’s Facebook app will have a tool at the top of the page that walks them through the data settings, and asks them individually what features they want to implement or disable.

Data breaches

A situation like the Cambridge Analytica scandal — where user data was taken and not reported publicly until years after the fact — would violate the new laws. The GDPR mandates that companies must tell users about breaches that could “result in a risk for the rights and freedoms of individuals” within 72 hours of learning about the issue.

Accessing data

Another new rule states users need to be able to easily find what data an organization has about them. Users, businesses and organizations that have data collected can ask businesses such as Facebook whether or not personal data is being processed, and what the information is being used for. The organization collecting data has to provide a copy of all personal data collected for free, as well as let you share the data with other companies. Facebook already lets you access a log of the data they have collected through your account.

Deleting your information

The “Right to be Forgotten” is also included in the GDPR. This means users or organizations can have apps such as Facebook delete all their personal data, and stop that data from being processed or shared in the future. Zuckerberg said Facebook already deletes all of their data stored for users who delete their accounts.

Privacy by design

This legal requirement requires businesses that collect data to “hold and process only the data absolutely necessary for the completion of its duties,” instead of collecting everything they have access to. This requirement also stipulates that the only people who can access people’s personal data are the ones processing the information.

Enforcing the rules

If Facebook or any other company fails to meet the standards of these new regulations, the European Union will fine data collectors up to 4 percent of their annual global turnover or €20 million. Data collectors or processors would incur these fines if they do not do enough to protect user data, obtain “sufficient customer consent,” or violate any of the other regulatory requirements.

Get breaking news alerts and more from Roll Call on your iPhone or your Android.