LONDON — After years of waiting, Europe's revamped privacy standards have kicked in.
The General Data Protection Regulation, or GDPR, is the largest overhaul of the region's rules in more than 20 years. It's aimed at giving the Continent's more than 500 million citizens greater control over how their digital information is used by companies and governments.
What can be expected from the new standards? And what are people's hopes — and fears — for the new rules, which are already being copied by countries worldwide eager to maintain access to Europe's well-heeled consumers?
What follows are the perspectives of the regulators, tech executives and privacy campaigners with crucial roles in determining how Europe's privacy rules will be implemented. These people also will determine, to a large degree, whether the Continent's data protection standards succeed or fail.
The Regulator: Helen Dixon, Irish data protection commissioner
Eyevine via Belga
More than almost anyone other European privacy regulator, Dixon — whose agency oversees data-hungry companies including Google and Facebook — will have her work cut out.
For Dixon and her 100-person team, the challenge will be to find a balance between an influx of data protection complaints due to land on her doorstep and long-term investigations into complex topics, such as how big tech firms explain their privacy policies to users. "It's a balancing exercise," she said. "How many big investigations can we take on?"
After spending much of the last year educating locals and the big internet players about how the new privacy standards will affect them, Dixon believes the biggest shift is how companies will become more accountable for their use of people's data — and the enforcement powers (fines may total up to €20 million or 4 percent of revenues, whichever is greater) that will back that up. But she remains concerned that each EU country is implementing the rules in slightly different ways, potentially hobbling region-wide efforts to supply people greater say over how their data is used.
"The intention was to modernize the law and harmonize it across Europe," she said. "It's clear we're moving away from that."
The Privacy Advocate: Max Schrems, data protection campaigner
Getty Images
As a veteran of various privacy battles, Schrems is already gearing up to file multiple complaints now that the new rules have taken effect. But even the Austrian campaigner — who has fought Facebook in several European courts on and off for almost a decade — is overwhelmed by the complexity of the new tools at his disposal. "I don't know where to start," he told POLITICO.
Schrems is concerned that many companies whose businesses do not rely on harvesting people's online information will be caught up in the regulatory burdens that come hand in hand with Europe's new rules. For that, he blames the tech industry's lobbying, which he said pushed lawmakers to make the standards as indecipherable as possible.
Schrems is also worried that digital companies are already rewriting the standards as they see fit. That includes making their updated privacy policies overly broad, allowing these firms to arbitrarily collect people's information without much regard to the new constraints on such data collection practices.
"Even before it starts, they are violating the rules," Schrems said. "The main question is how will regulators react to these privacy changes?"
The Tech Executive: Stephen Deadman, Facebook's data protection officer
Courtesy of Facebook
Even before the recent scandal involving Facebook users' data, Deadman knew that the social networking giant would be under greater pressure than most to comply with Europe's new data protection standards. The company has had a team of more than 300 lawyers, coders and designers working for more than two years on overhauling Facebook's privacy settings, though not all of these upgrades will be offered to non-EU users. "Because of the scrutiny we're under, we've had to scrutinize all of our processes," he told POLITICO.
For Deadman, who serves as the company's executive in charge of ensuring the company complies with the new standards, Europe's privacy rules are more evolutionary, not revolutionary. Many of the new rights granted to people, including the ability to pull consent from data collection practices whenever they choose, build on existing standards. One improvement, he adds, is that only one European privacy watchdog — not a series of often warring EU agencies — will now hold sole responsibility for how Facebook and others comply with the region's privacy rules.
"In the past, there was uncertainty about who got to regulate whom," Deadman said. "Now, there's a clearly established authority. That's a good thing in the regulation because it makes things clear."
The Privacy Expert: Trevor Hughes, president, International Association of Privacy ProfessionalsÂ
Courtesy of International Association of Privacy Professionals
Hughes, like many privacy professionals, has spent the last two years dissecting Europe's new rules. But he is still struck by how many unknowns there still are, particularly when it comes to enforcement. "There's just a lot that we don't know," he said.
As president of one of the world's largest privacy trade groups, Hughes believes the biggest change will be how companies and governments approach data collection. Instead of indiscriminately vacuuming up people's information, institutions must soon become stewards fully accountable for how they collect, store and manage data.
Hughes does fear, though, that the complexity of Europe's new privacy standards will make it tough for anyone without a deep knowledge of the region's data protection rules to truly grasp these new relationships that they have with so many companies. "Consumers really don't have the time to be making all of these decisions," he added.
The Commissioner: Věra Jourová, European justice commissioner
EPA
Jourová has a simple message: Europe's new data protection standards mark a cultural shift in how people and companies view privacy. The latest Facebook data scandal, she added, raised awareness that many were blindly handing over their information without much thought. And with new rules taking effect, the European justice commissioner acknowledges that it will take months, if not years, before Europeans become comfortable with exercising arguably some of the most wide-ranging rights anywhere in the world.
"People will get used to the new situation, they'll become more aware of what happens with their data," she said. "But that will take time."
The commissioner is aware that her job did not finish on May 25. Jourová said she will be actively cajoling national lawmakers and regulators to stay on track, particularly in countries that still have not passed their own domestic versions of the new privacy rules. Part of that role, she said, also includes ensuring Europe's new standards are upheld in the same way across the 28-member bloc. "In some states, privacy is a political priority. But in others, people are pretty relaxed about it," she said.
The U.S. Lawmaker: Ed Markey, senator (D-Mass.)
Getty Images
For decades, Markey has been on the front lines of privacy debate in Washington — animated, he told POLITICO, by the idea that as he helped to write U.S. legislation to aid the spread of technology, he also had a responsibility to advocate for policies that protect Americans' data, which may also have become exposed by these latest tech innovations.Â
"It's directionally excellent," Markey said when asked about Europe's new privacy standards, "because it deals with the core issue of receiving opt-in consent from the consumer."
For all the talk about how Europeans' and Americans' expectations on privacy may differ, these transatlantic views, he says, overlap when it comes to having a say about what happens to their data. "The American people are going to wonder why they're getting second-class privacy," Markey added. "If American companies can devise a way to create a privacy regime that is opt-in consent for more than 400 million Europeans, they have a lot of explaining to do to the 320 million people in the United States."
The new EU law, according to the U.S. lawmaker, will no doubt shape where U.S. privacy debate goes from here. "You can't tell the story of what's going to happen in America without telling the story of what's about to happen in Europe," he said.
The Consumer: Katharina Lemke, German citizen
Courtesy of Katharina Lemke
The first that Lemke, a higher education expert in Frankfurt, knew about the privacy changes was the slew of emails she began receiving from companies asking her to opt in to their new data protection policies. Like many Germans, she is more conscious of protecting her privacy than many other Europeans. But even Lemke succumbed to using services like WhatsApp, Twitter and Facebook after initially trying to wean herself off them. "I found that I was missing out," she told POLITICO.
She is aware that Europe's new privacy standards will supply her a bigger say over how her information may be used, and Lemke has been watching videos and practicing up online about what that could mean for her. Yet with everything going on in her life, the 30-year-old doesn't think she'll have the time to send requests to companies asking about how they use her digital data, let alone file complaints to stop the most egregious activities.
"When I get emails from companies, it's lot of text and I usually scroll over it and just accept the policies," she said. "It's a good opportunity to protect my privacy, but maybe it's all too much."
Nancy Scola contributed reporting from Washington.