New Data Protection Regulation from the EU

Still worried about how your personal data is handled online and what they are doing with it? Take heart, the new General Data Protection Regulation (GDPR) is here for you. Well, at least if you are a citizen of the European Union — in theory. But even if you are not, the GDPR is a clear sign that things are changing, for better, and will positively affect all of us. To which extent exactly remains to be seen.

By now, and especially after all the noise around people’s data usage on Facebook, we all know that there is no absolute guarantee whatsoever of actual privacy and personal data security on the web. There has been too many breaches of confidentiality over the past five to ten years, in countless instances, and Facebook’s misfortune is only the last and the most recent in a long series.

Enter the EU’s GDPR, a set of new laws about the topic and that is supposed to have come into force this week, on May 25 more precisely. What is really new in it and why is it important?

One of the main complaints that is often heard is the right to delete personal data from accounts and websites. Indeed, in the overwhelming number of cases, when you unsubscribe from a service, the information you have provided as your user’s profile, is kept by the service. This is referred to as “data retention”. Some of the services, however, though not based in the EU, are updating their privacy terms and conditions.

For example, LinkedIn, the California-based, well-known professional “business and employment-oriented service that operates via websites and mobile apps”, in a recent update dated May 8, states that users’ data is kept for 30 days after unsubscribing and then is completely removed. This is definitely good news.

There has been a global, massive dispatch of emails by a huge number online services and websites this very week, from airlines to banks, addressed to all users and assuring them that the GDPR will be taken seriously and applied, and that the service has updated its privacy terms according to the GDPR.

The scope of the changes introduced by the GDPR is wide. It is a long text that consists of 11 chapters and 99 articles. It can be found and downloaded as a pdf document, at https://gdpr-info.eu/. It covers every possible aspect of the subject, of course, from the right to view, to modify and to permanently delete, to the fact that those under the age of 16 cannot reasonably provide personal information without their parents or guardians’ consent. 

Whereas any move, however small, that may contribute to better protect the consumer’s rights and privacy online is welcome and deserves praise, there is one single aspect of GDPR that is particularly interesting and that is hard not to notice. It comes from the EU, not from the USA.

The major, biggest online services are in the USA, or at least have their headquarters there: Facebook, Amazon, Google, LinkedIn, and so forth. So why is the EU trying to better regulate privacy on the web, and not the USA? Or, to be precise, why is the EU doing more than what the USA is doing in that sense?

Historically Europe has been at the vanguard of personal liberty. Without going back as far as to the French Revolution of 1789, already in 1978, the CNIL was founded in France to set the terms for handling the citizens’ personal digital data, well before the world was swept away by the Internet tidal wave. CNIL stands for Commission Nationale de l’Informatique et des Libertés: The National Commission on Informatics and Liberty. This was already 40 years ago, and it says a lot about the subject.

It remains to be seen how, in a general manner, the GDPR will affect the USA and the rest of the world. Some have already reacted, like www.forbes.com: “We’ve updated our Privacy Statement to support new EU data protection law.” An example to follow.