New European Law Raises the Bar for Data Privacy Protection


A new European Union data privacy law is causing headaches for many American businesses.

It’s called General Data Protection – or GDPR for short – and it went into effect Friday.

The law is designed to protect the privacy rights of EU citizens but could also impact data privacy policy in the U.S. That’s because any company doing business in the EU – or with customers in the EU – must comply with the new law or face huge fines of up to 4 percent of all global revenue or 20 million euros, whichever is higher.

It’s also why you may have noticed many websites now requiring you to agree to new privacy policies before granting access to their sites.

Debbie Reynolds, a global data protection and privacy expert at law firm Eimer Stahl, says that Europe has long been sensitive about citizens’ private data and privacy rights because of its dark history, in particular the use of personal data by the Nazis to identify and kill their enemies.

“As a result of the way Nazi Germany was using information about people to make life-or-death decisions about them, the EU decided that privacy was a fundamental human right,” Reynolds said.

The EU passed data privacy legislation in 1995, when the internet was still in its infancy, enshrining the right to privacy as a fundamental human right.

But Reynolds notes that since then, at least two key events led the Europeans to believe they needed to strengthen privacy protections.

“The first was the enactment of the Patriot Act (in the United States) – a lot of Americans’ data privacy rights were curtailed because of that. Labelling things as terrorism gave the state vast power to control people’s data – even including the data of EU people at that point,” she said. “The next thing that happened that was really big was the Edward Snowden-NSA hacking incident with WikiLeaks, which highlighted the ways personal data was being used by the U.S. in ways that the EU was not happy about.”

Reynolds notes that the EU has long believed U.S. data privacy protections to be inadequate. And GDPR is the response.

“Under GDPR, anyone in the EU has to give their explicit and affirmative consent for a company to use their data. They can decide at any time to revoke their consent. They can ask to see what data (a company has) about them. And they can ask that you delete or return it,” Reynolds said.

Although there is nothing in the new law that would force U.S. companies to adopt GDPR data protection standards for non-EU citizens, large companies with global operations don’t want to have to have multiple data privacy policies for different countries. And with the EU being such a large market, they have little choice but to meet the new, higher data privacy standard.

By comparison, American data privacy laws are largely a patchwork of legislation that varies from state to state.

Reynolds believes the new EU law is already having some positive effects here.

“A lot of people are receiving emails about updates of terms of service and updates of privacy policies,” Reynolds said. “That is because GDPR calls for companies to make terms of service agreements and privacy policy information simpler to understand … I’m all for that. I think a lot of people don’t really understand how companies are using their data. The ‘free’ services that they are using, there is nothing that is free. These companies are monetizing their data and a lot of times if you told (consumers) in plain English what happens to their data after you’ve given it to them they would probably think twice.”

Reynolds joins Phil Ponce to discuss the implications of GDPR on businesses and consumers.


Related stories:

Illinois Politicians Grill Zuckerberg During Facebook Hearings

Biometric Data: Are We Safer in Illinois, Or Just Having Less Fun?

Rauner Vetoes Geolocation Privacy Protection Act


randomness