It’ll Cost Billions for Companies to Comply With Europe’s New Data Law

With revelations that the political advertising company Cambridge Analytica mined millions of Facebook accounts without users’ consent, Facebook Inc. may be subject to a British investigation that could lead to fines as high as £500,000 ($700,000). While the company also faces potential U.S. sanctions, in Europe the timing works out in Facebook’s favor: If the scandal had happened two months from now, it might have been covered by a new European law that allows penalties as high as 4 percent of a company’s global revenue, or in Facebook’s case, more than $1.5 billion.

The European Union’s General Data Protection Regulation (GDPR), which has been a decade in the making and takes effect on May 25, applies to any business that handles the personal data of European residents. The rules cover almost anything that can be linked to an individual: addresses, credit card numbers, travel records, religion, web search history, computer ID codes, biometric data, and more. “GDPR holds companies of all sizes to account,” Facebook Chief Operating Officer Sheryl Sandberg said at a January conference in Brussels, before the Cambridge Analytica leak was revealed. The law will affect almost everyone, she said, because businesses “all use data to improve their services.”