GDPR: US news sites unavailable to EU users under new rules

  • Published
Media caption,

You've been sent a lot of emails about it... but what is GDPR?

Some high-profile US news websites are temporarily unavailable in Europe after new EU data protection rules came into effect.

The Chicago Tribune and LA Times were among those saying they were currently unavailable in most European countries.

Meanwhile complaints were filed against US tech giants within hours of the General Data Protection Regulation (GDPR) taking effect.

GDPR gives EU citizens more rights over how their information is used.

It is an effort by EU lawmakers to limit tech firms' powers.

Under the rules, companies working in the EU - or any association or club in the bloc - must show they have a lawful basis for processing personal data, or face hefty fines.

There are six legal bases for using personal data, including getting express consent from consumers. However, in most cases firms must also show that they need the personal data for a specific purpose.

Facebook, Google, Instagram and WhatsApp are accused of forcing users to consent to targeted advertising to use the services.

Privacy group, led by activist Max Schrems, said people were not being given a "free choice".

If the complaints are upheld, the websites may be forced to change how they operate and they could be fined.

Which sites are unavailable?

News sites within the Tronc and Lee Enterprises media publishing groups were affected.

Tronc's high-profile sites include the New York Daily News, Chicago Tribune, LA Times, Orlando Sentinel and Baltimore Sun.

Its message read: "Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market."

Lee Enterprises publishes 46 daily newspapers across 21 states.

Its statement read: "We're sorry. This site is temporarily unavailable. We recognise you are attempting to access this website from a country belonging to the European Economic Area (EEA) including the EU which enforces the General Data Protection Regulation (GDPR) and therefore cannot grant you access at this time."

Image source, LA Times
Image caption,
What the LA Times says when you click on its site from certain European countries

CNN and the New York Times were among those not affected. The Washington Post and Time were among those requiring EU users to agree to new terms.

What is GDPR?

Lawmakers in Brussels passed the new legislation in April 2016, and the full text of the regulation has been published online.

Misusing or carelessly handling personal information will bring fines of up to 20 million euros ($23.4m; £17.5m), or 4% of a company's global turnover.

Image source, AFP/Getty
Image caption,
Facebook founder Mark Zuckerberg recently testified to European MPs about data privacy

In the UK, which is due to leave the EU in 2019, a new Data Protection Act will incorporate the provisions of the GDPR, with some minor changes.

All EU citizens now have the right to see what information companies have about them, and to have that information deleted.

Companies must be more active in gaining consent to collect and use data too, in theory spelling an end to simple "I agree with terms and conditions" tick boxes.

Companies must also tell all affected users about any data breach, and tell the overseeing authority within 72 hours.

Each EU member state must set up a supervisory authority, and these authorities will work together across borders to ensure companies comply.

Skip twitter post by European Commission 🇪🇺
The BBC is not responsible for the content of external sites.
End of twitter post by European Commission 🇪🇺

The new chairwoman of the European Data Protection Board, Andrea Jelinek, told the FT she expected cases to be filed "imminently".

"If the complainants come, we will be ready," she said.

Ireland's data regulator Helen Dixon also spoke to the newspaper, saying the country was ready to use "the full toolkit" against non-compliant companies.

Both Facebook and Twitter have their EU headquarters in Ireland.

The new rules come amid growing scrutiny about how major tech companies like Google and Facebook collect and use people's personal information.

Facebook founder Mark Zuckerberg faced questions from MEPs earlier this week about his company's collection of data.

A data headache

By Kevin Connolly, BBC Europe correspondent

Millions of email inboxes all over Europe filled in recent weeks with messages from anxious companies seeking explicit permission to continue sending marketing material to and collecting personal data from their customers and contacts.

The new rules govern not just the collection and storage but its sale and exploitation for marketing - some companies based in the United States have decided to stop trading in the European Union at least temporarily rather than risk falling foul of the new law.

Members of the European Parliament (MEPs) see themselves as global leaders in a battle to reduce the power of giant internet technology companies and restore a degree of control to citizens and their elected representatives.