Europe’s New Online Privacy Rules Could Protect U.S. Users Too

Listen Now

The European Union is preparing to implement sweeping privacy rules next month, but these new protections of individuals' information may set a new standard around the world — including in the U.S.

Beginning May 25, under the new General Data Protection Regulation, companies that collect or mine personal data must ask users for consent. No longer will firms be able to bury disclosures about pervasive tracking in hard-to-read legal disclaimers.

"We're not entirely satisfied with that's in there," says Estelle Massé, an analyst with the digital advocacy group Access Now, tells NPR's Ari Shapiro. "However, it's a great improvement from the previous law and it's also a great basis for the use of data in the digital age."

What counts as "personal" won't just be attributes like race, height, weight and religion, but also an individual's IP address or browsing history.

Rayna Stamboliyska, a data protection specialist based in Paris, says that under the new rules, the Internet is a place where no means no. She compares digital consent to sexual consent.

"Before you even put your cookie on my computer, or in my mobile device, you have to make sure I consent to being followed," she explains.

A cookie is a small piece of data a website might slip into your smartphone or laptop to keep track of what you're doing online. Right now, without clearly asking your permission, she says, many sites are watching your every move. Under Europe's new directive, that's not OK. Consent must be given, and it can be taken away.

Stamboliyska gives a simple example. Say you want to buy a new pair of shoes. You're fine with marketers slipping a Zappos ad into your morning news feed. But then later, you're done shopping. Under GDPR, you must have a way to say: "Look, I'm fed up of your shoes. Now just stop profiling me, and stop following me. And please do remove the data you have of me because I no longer want you to keep it."

Europe didn't create Internet giants like Google or Facebook, but now it's engineering a legal way to control them. Companies that violate the new rules face penalties of up to 4 percent of their global annual revenue or 20 million euros (about $25 million), whichever is higher.

Stamboliyska says that for too long, American companies have gotten away with too little oversight. In a recent scandal, Facebook lost control over the data of 87 million users.

CEO Mark Zuckerberg said he was sorry, but Stamboliyska says: "We don't need your apology. We need you to be respectful."

Last week, the Facebook chief told Congress he plans "to make all the same controls and settings available everywhere, not just in Europe." Tech giants Microsoft and Google have indicated they are also extending Europe's privacy rights to users around the world.

Michael Cohen, a lawyer based in Minneapolis, advises American media and Internet companies that operate in Europe. How exactly U.S. firms deal with new rules on the collection and storage of personal data is a work in progress. The GDPR is, he says, "aspirational, meaning that of course we would like to strive for what's considered the gold standard."

If users in Europe start to see really simple language and get truly easy-to-follow prompts, he says, Americans might want what the Europeans have.

Internet users will start to see notices from their news, music, gaming and other apps in the coming days and weeks.

Copyright 2018 NPR. To see more, visit