The new General Data Protection Regulation rules enacted by the EU more clearly define the right of citizens to decide when their data is gathered, how it may be used or packaged and how long it may be stored. The new regulations also call for fines on infringing companies of up to 4% of their worldwide revenue, whether the infringing entity resides inside the EU or outside Europe entirely.
Privacy regulations now include the right to have personal information deleted from a company database, the right to transfer your own data from one company to another, and the right to know if any third party has compromised your data. There is even an “affirmative consent” clause that requires a company to obtain direct permission prior to collecting or storing your data. That makes the prior practices of implicit agreements based on fine print or merely offering an opt-out option specifically insufficient under the new legal framework.
So-called data “profiling” where user information is relied on to make predictions about the economic status, location, health or consumer preferences of any end user without their preauthorized consent is also strictly prohibited.
As Wired magazine first reported, trade groups are less than thrilled with the wide reach of these new regulations. “While we continue to believe that the final text fails to strike the right balance between protecting citizens’ fundamental rights to privacy and the ability for businesses in Europe to become more competitive, it is now time to be pragmatic” said DigitalEurope Director General John Higgins. “DigitalEurope stands ready to make the new legal framework for data protection in Europe work,”
However, privacy advocates are also not entirely happy with the wording of the legislation. Private companies can still collect personal data for “legitimate interests” which seems to be a glaring loophole in the law that has not yet been fully examined by the legal community. Also governments continue to have expansive powers to collect data through superseding laws that allow for data collection and usage under several laws aimed at national security purposes.
Whether this framework becomes functionally enforceable outside of the EU and gains global traction largely depends on how many other countries adopt similar restrictions on the commercial use of consumer data. The United States has been very quiet on the matter so far, but with the election looming in November it could quickly become a hot button issue in the general election.