Why New EU Privacy Laws matter for All

edited by Bianca Pick

When the EU legislation on data protection was put in place in 1995, the internet looked very different. While previously most data was stored on private or corporate computers, today much of our personal data is in the cloud, under the control of a third party platform or service providers, who are mostly based in Silicon Valley. Though social networks are certainly useful to stay in touch with friends and share information, storing personal data here also risks being used in ways that can have an economic and reputational impact.  

In response to this, the European commission has decided to pass the GDPR (General Data Protection Regulation). This new law intends to strengthen and unify data protection for individuals within the European Union (EU) while also addressing export of personal data outside the EU.

With the primary objective of giving citizens back the control of their personal data, the GDPR is also meant to simplify the regulatory environment for international business. Its main aspects come down to privacy by design, data portability, valid consent and mandatory right of erasure, communication about data breaches, and the ability to report compliance to these regulations. Adopted on 27 April 2016, GDPR will be enforced as of 25 May 2018 after a two-year transition period.

“This will impact every entity that holds or uses European personal data both inside and outside of Europe.”

Cyber security and data protection partner at PricewaterhouseCoopers (PwC), Stewart Room

Personal Data protection is an opportunity for EU companies

While many companies may still see laws like the GDPR as a threat to innovation, strengthening Europe’s data protection standards also has its benefits for business. As shown by the Eurobarometer survey and recent high profile data breaches, a growing distrust with online interactions can quickly interfere with consumers willingness to use and confide in new services. It can easily translate into lost opportunities and revenues.

Stricter laws may also protect companies from the costs associated with data breaches. As shown by companies such as Twitter, Google, Telegram and numerous others, restoring such breaches can cost millions. The damage done by Sony for example even crossed the $1 billion mark, causing huge financial burdens to the enterprise that could have been avoided through more rigorous privacy laws. 

Source: information is beautiful

By unifying regulation within the EU, the data protection reform also reduces administrative efforts for companies. While previously having to send reports to each individual country with their individual laws, companies must now only issue one single compliance report. EU citizens meanwhile, of which more than 90%  desire unity of data protection rights across the EU, can now rely on foreign services to be aligned with the security laws of their country.

My Data Conference

Many businesses are nevertheless going to have to rethink the way they produce profit in ways that are more agile and which don’t lock customers into a type of platform dependency. 

A diversity of parties, organizations and companies from around the world recently came together at the My Data Conference to discuss and prototype around the new laws. Among them were the Ministries of Finland and Estonia, research institutes like FIng from France, companies like Orange, Elisa, MAIF, the EU consortium AGILE, organisations such as the OKFN, as well as activists, experts and start-ups, like Jolocom.

Decentralization – specifically through blockchain – and the organization of data in an user-centric way was clearly identified as a main disruptor for the current business models. The GDPR therefore presents an opportunity for a decentralized web to show off its assets.


GDPR and the decentralized web

Higher data protection and privacy for individuals indeed calls for new decentralized technologies like blockchain and social linked data, that foster shareability, transparency and which organize data in a user-centric way.

The concept of data portability becomes particularly pertinent here as the GDPR establishes the right for individuals to own and freely transfer personal data from one service provider to the next. Instead of having individual user accounts, users could control and access their data through autonomous(self-sovereign) digital identities, choosing the service they like without leaving behind their data when switching platforms.

Able to engage with multiple roles, users could create future networks, companies, DAO’s (Decentralized Autonomous Organizations) or KYC (Know Your Customer) relations that are truly both interconnectable and interoperable. Companies meanwhile could focus again on their core service or products rather than becoming data platforms.

Trust equals peer-collaboration

Although the core of laws like the GDPR remain to protect citizens and respond to a growing concern of security issues, it enables a type of peer-driven collaboration that could open new gates similar to the peer dynamics of the web 2.0 (social networks) in an improved way for individuals, businesses and society in large.  

By strengthening the element of trust among citizens, laws like the GDPR encourage not only technologies for decentralization, but as a result a higher level of collaboration that also provides an alternative towards America’s silicon valley data practices

As economist Jeremy Rifkin puts it,  “(… business will play an)…increasingly streamlined role, primarily as an aggregator of network services and solutions. We are, however, … entering a world beyond markets where we are learning how to live together in an increasingly interdependent (decentralized) global Collaborative Commons.”