DAVID GREENE, HOST:
The United States takes credit for inventing the Internet. The EU seems determined to govern it. This Friday, a sweeping new directive goes into effect. It's called GDPR, the General Data Protection Regulation. And here to explain to us what this mouthful means for the European Union and also for the United States, we have NPR's Aarti Shahani. Hey, Aarti.
AARTI SHAHANI, BYLINE: Hi.
GREENE: I love acronyms. It's great for radio. GDPR - what exactly is it?
SHAHANI: Rolls off the tongue, right?
GREENE: Yeah, totally.
SHAHANI: (Laughter) So it is a directive that protects residents of the European Union, OK, people living there, even Americans living there. But if you're in the U.S., even if you're European, you're not protected. U.S.-based companies, all companies, like Google, Facebook and Microsoft, they have to comply for any and all businesses that - or business they're conducting over there. At the most basic level, GDPR expands what counts as personal data and your rights over that data. So your data is, for example, what you post on social media, your electronic medical records, your mailing address. It's also your IP address. That string of number is unique to your smartphone or tablet. It also allows GPS location.
GREENE: It's like everything it sounds like.
SHAHANI: That's right. It's more comprehensive. And the directive says people have to give permission for a company to collect your data. A company can't just sign you up without explicitly asking, so, hey, can I store your phone number or collect your web browsing history? It has to be asked. And if it's more personal, say it's your biometrics, the ask has to be even more clear, red alert language. Now, as a European, if you don't want a company keeping your data, you have a right to deletion. They have to delete the data without any undue delay or face a penalty.
GREENE: OK. I just want to underscore something. This means nothing if we are here in the United States. This doesn't apply to us at all or it might somehow.
SHAHANI: It's not legally binding in the U.S. So, you know, if you're an American, you're probably getting a lot of emails and push notifications from your apps, you know, maybe even some newsletters you forgot you signed up for. That's what I'm getting.
SHAHANI: You know, I had a lawyer take a look at the legalese that I got from Spotify and eBay. And what he did is he pointed out they're saying that me - we here in the U.S. - can request to delete our data, but it's just a request. There is nothing binding about it, OK? Here, we've only got three laws that protect medical and financial records and kids. But other than that, we're pretty much the Wild West. We are unregulated. That's how that scandal happened where 87 million Facebook users had their profiles land in the hands of a political operative - unregulated marketplace. You know, and last month, in testimony before Congress, Mark Zuckerberg, CEO of Facebook, said he'd give Americans all the same controls Europeans have. Let's have a quick listen to his words.
(SOUNDBITE OF ARCHIVED RECORDING)
MARK ZUCKERBERG: We believe that everyone around the world deserves good privacy controls. We've had a lot of these controls in place for years. The GDPR requires us to do a few more things, and we're going to extend that to the world.
SHAHANI: And so actually on Facebook there will be a big difference between Europe and the U.S. when it comes to what's collected by default. In Europe, Facebook has to get permission to do facial recognition. It's not on by default, but in the U.S., it is. So American users have to click through screens to opt out.
GREENE: OK. So, Aarti, I mean, explain one of the - one of the arguments against these laws is that the sky is going to fall down. It's going to really hurt businesses like Facebook because they rely so heavily on collecting information automatically. Is that a legitimate argument?
SHAHANI: So that is the key debate, and one side is arguing GDPR will be terrible for competition and small startups won't be able to afford all the big expenses that come with managing and protecting data so just the big companies will be able to survive. Another camp says, no, consumers don't trust the Internet right now. That's a problem, and it will be good for us.
GREENE: All right. NPR's Aarti Shahani. Aarti, thanks a lot.
SHAHANI: Thank you. Transcript provided by NPR, Copyright NPR.