For U.S. companies which do business in Europe or who process the personal data of European Union residents, the world of data privacy and security is about to get much more complicated. While U.S. privacy law is unsettled, with rapidly proliferating state and federal laws and regulations and uncertainty as to how strictly they will be enforced, the rules in the European Union are tough and about to get much tougher. The General Data Protection Regulation (EU) 2016/679 (GDPR), slated to take effect in May 2018, will give consumers in the EU substantially more control over how their personal data is used. The increased control includes the right to:

1. access any personal data that has been collected;

2. obtain confirmation about whether an individual’s data is being processed; and

3. require that the data be ‘‘erased’’ if the consumer withdraws consent.

Originally published in Bloomberg Law on June 26, 2017.