Modern field guide to security and privacy

How Europe's new privacy rules affect entire digital economy

The European Parliament on Thursday adopted a single set of rules on Internet privacy safeguards, giving individuals much more control over how their information is handled by both European and American tech companies. 

Vincent Kessler/Reuters
Members of the European Parliament take part in a voting session in Strasbourg, France, on April 12.

After four years of negotiations, the European Parliament on Thursday adopted sweeping privacy reforms that will not only change how the European Union handles personal data but will have ripple effects across the entire global digital economy.

The General Data Protection Regulation (GDPR) provides a single set of rules on Internet privacy safeguards, giving individuals vastly greater control over how their information is handled by both European and American tech companies. 

In fact, the data regulations, which take effect in 2018, extend Europeans' so called "right to be forgotten" – a two-year-old policy that gives Europeans the chance to erase their checkered past or erroneous posts from Google's search results – to any type of international company such as data brokers or retailers that collects digital repositories of Europeans' personal data.

And companies that don't comply with the rules will face fines of up to 4 percent of their worldwide annual revenue or 20 million euros, whichever is greater.

"This is the biggest legislative development in data protection law worldwide for the last 20 years," says Christopher Kuner, codirector of the Brussels Privacy Hub, a privacy research center.

"Companies will have to get their house in order," he says. "They’ll be dealing with a much more complicated and strict set of requirements and even though there is a period of two years before it comes into force, it really raises the stakes for companies."

The new data protection law will replace a previous rulebook that dates back to 1995, before widespread Internet usage.

Within the next two years, businesses must be prepared not only to comply with the new rules but to develop new mechanisms such as transparency reports to show regulators they are abiding by the privacy regime.

Additionally, the regulations require companies to report data breaches within 72 hours and larger companies will have to employ data protection officers.

The data protection rules also come as Europe is working to bolster data and information sharing in the wake of increasing migration to the continent and recent terrorist attacks in Paris and Brussels.

Also this week, the European Parliament passed a law to allow airlines to share passenger information with EU members. After resolving privacy restrictions that date back to 2011, the Passenger Name Record system will require airlines to share passenger information such as itineraries, means of payment, and baggage information with authorities in EU destination countries.

Even though Europe is changing laws that had previously blocked some government surveillance efforts, Europe is still resistant to sharing information with US spy agencies. Earlier this week, data protection watchdogs in Europe sharply criticized a proposed data sharing plan known as Privacy Shield between the US and EU over surveillance concerns.

Indeed, the debate over increased data privacy versus national security is very much alive in Europe. 

"The EU has to take a firmer stand on data protections," says Thomas Lanson, a researcher at the Paris-based French Institute for International and Strategic Affairs. "But it also has to find a way to combine security measures and privacy protections."


of stories this month > Get unlimited stories
You've read  of  free articles. Subscribe to continue.

Unlimited digital access $11/month.

Get unlimited Monitor journalism.