Will Europe’s New EU-Wide Privacy Rules Bring Coherence — Or More Chaos?

On Tuesday, European officials approved data protection regulations that formalize many of the court decisions and other regulatory positions that have been taken over the past couple of years. The new rules, in development since 2012, would take effect in 2017 and apply uniformly across the European Union.

While the new rules would create a set of relatively predictable guidelines for companies doing business in Europe, they are also at odds with US rules that are more liberal regarding data collection and usage. Some critics complain that privacy is weighted more heavily than free expression and that the rules would effectively extend beyond the physical boundaries of Europe.

In the words of the European Commission, the new rules provide the following:

• Easier access to your own data: Individuals will have more information on how their data is processed, and this information should be available in a clear and understandable way.
• A right to data portability: It will be easier to transfer your personal data between service providers.
• A clarified “right to be forgotten”: When you no longer want your data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted.
• The right to know when your data has been hacked: For example, companies and organizations must notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures.

The new regulatory framework also creates much more substantial fines and penalties for violations, up to four percent of a violator’s global revenues. In the case of Google, that would amount to $2.6 billion, or in Facebook’s case, $500 million, based on 2014 revenue figures.

The rules would apply to any company “doing business” in Europe — broadly defined. France and other countries in the EU have sought to extend the application of the Right to Be Forgotten (RTBF) to Google’s global index. Accordingly, these rules could have a wider impact than simply within Europe’s continental borders.

Prior to their passage, Attorney Daphne Keller wrote an in-depth discussion of the new rules in draft form. According to Keller’s blog post, the data protection rules will extend EU privacy jurisdiction over companies with any connection to Europe, however slight:

The GDPR asserts jurisdiction over entities that offer services to or “monitor” EU users. “Monitoring” seems to be defined broadly enough to include fairly standard web and app customization features, so the law reaches many online companies outside of the EU. In practice, regulators presumably will not prioritize or dedicate limited resources to policing small and distant companies. But the GDPR will be an issue for companies with growing EU user bases and presence in Europe; and regulators can choose to enforce the law against many more entities around the world.

Because the internet is a global marketplace, these data protection rules and penalties could have a global impact. This means Europe, as a practical matter, may start to dictate data handling and privacy policies for other non-EU markets — just as France is trying to do with RTBF.

While Europe’s desire to protect the privacy rights of individuals is laudable and legitimate (grounded in European history) there’s also an undercurrent of protectionism and punitive targeting of American tech giants that has animated the debate and thinking about the new guidelines.