How Europe’s New Privacy Rule is Re-shaping the Internet

Photo: Wired

If you’ve been looking for it, you may have seen a lot of privacy policies change in the past few months. From Google to Slack, companies are quietly updating terms, rewriting contracts, and rolling out new personal data tools in preparation for a massive shift in the legal landscape.

So far, it’s mostly been a problem for legal departments, but as policy changes and contract fights go public, it’s started affecting the average web user, too.

The rule is called the General Data Protection Regulation (or GDPR), and it’s poised to reshape some of the messiest parts of the Internet. Here’s what you need to know about it.


The General Data Protection Regulation is a rule passed by the European Union in 2016, setting new rules for how companies manage and share personal data.

In theory, the GDPR only applies to EU citizens’ data, but the global nature of the internet means that nearly every online service is affected, and the regulation has already resulted in significant changes for US users as companies scramble to adapt.


Much of the GDPR builds on rules set by earlier EU privacy measures like the Privacy Shield and Data Protection Directive, but it expands on those measures in two crucial ways.

First, the GDPR sets a higher bar for obtaining personal data than we’ve ever seen on the internet before. By default, any time a company collects personal data on an EU citizen, it will need explicit and informed consent from that person.

Users also need a way to revoke that consent, and they can request all the data a company has from them as a way to verify that consent. It’s a lot stronger than existing requirements, and it explicitly extends to companies based outside the EU.

For an industry that’s used to collecting and sharing data with little to no restriction, that means rewriting the rules of how ads are targeted online.

Second, the GDPR’s penalties are severe enough to get the entire industry’s attention. Maximum fines per violation are set at 4 percent of a company’s global turnover (or $20 million, whichever is larger). That’s a lot more than the fines allowed by the Data Protection Directive, and it signals how serious the EU is taking data privacy. Google and Facebook could withstand a fine like that, but it would be enough to sink a smaller firm. If the new consent rules ask companies to reshape their data policies, the proposed fines give them the motivation to make it happen.


It’s too early to say. We know roughly what compliance looks like, but we still don’t know what enforcement will look like or how aggressive the EU regulators will be. The simplest takeaway is that breaches will get a lot more costly, and that cost will be spread a lot further through the network.

It will get more expensive to share user data, and sites will probably try to make do with fewer partners, which would certainly be a win from a privacy perspective. Regulations like this tend to hit small companies the hardest, so the GDPR might also tip the scales even further toward big players like Google and Facebook, even as the overall pool of data shrinks.

The rule could also create a divide between the European Union and the rest of the Internet. So far, most companies have aimed toward a single set of privacy rules for all users, which is why so many US users are noticing new privacy features and terms of service. But in many cases, it’s still easier to split off EU data, which could result in European users seeing a meaningfully different Internet from the rest of the world.