Misconception 1: This law is all about regulating big multinational companies
Facebook and Google are the first things newspapers tend to associate with this law and supporters of the new data protection legislation are selling it as a way of defending you from the power of American tech giants.

This is not to say there are no issues around your personal data on the Internet. But singling out social media or search results has let the data protection experts behind this law ignore its serious consequences for technological innovation which bring real progress to our society and our economy.

The great irony is that the smaller, weaker European Internet industry will suffer more than their international counterpart. The extra fatigue for Internet users and additional costs for businesses in Europe will have very little impact elsewhere. Companies operating outside the EU will be able to nurture products and services in those markets, and then roll them out in Europe when they are strong enough to survive under European legislation. Innovators operating only in the EU will not have that luxury. They will be driven to give up or to leave Europe for Silicon Valley and China.

Meanwhile, every single company in Europe will be affected by these new rules. Simply because they all have to deal with employee or customer data. Or, more likely, both. This “one size fits all” regulation was developed with only a few types of business in mind, but it will hit all sectors, including your favourite NGOs or your start-up plan.

Europe is counting on digital goods and services to renew growth throughout our economy and create hundreds of thousands of new jobs. We need the digital single market to make great strides, not trip over itself.
Misconception 2: Stricter laws provide for better protection
It stands to reason that stricter data protection rules and a vastly expanded definition of personal data are better: the more data is covered, the more data is protected. Except it doesn’t. Companies and authorities would be faced with the unmanageable reality that in effect all data could be considered personal.

The current framework is difficult enough to comply with and harder still to enforce. The new rules stretch protection to cover any data that could be linked back to an individual, no matter how much effort is required or how unlikely it is to be used. This could render the system entirely unworkable and ironically make it easier for unethical companies to abuse your data. Meanwhile, no regulation can reduce the danger of hackers making off with your details.

Policymakers need to assess the real risks involved. There are many positive uses of data, for example in healthcare and education, where the benefits to people far outweigh potential privacy issues. And companies providing services over the Internet mostly need to get to know you so they can make you feel at home or help you find what you need quickly. Does this really bother you? After all, don’t you welcome being recognised in a local shop? In fact, according to the latest survey by the British telecoms regulator, nearly seven in ten adults say they are happy to provide personal information online to companies so long as they get what they want.

Customer data is also what helps businesses become and stay competitive. Isn’t that what Europe needs more than anything? Only a balanced, risk-based approach can make data protection work for people, businesses, and governments.
Misconception 3: Existing rules and principles are out-dated
Many people are unnerved by how much the Internet appears to know about them. This is generally because they signed up to digital services. The underlying bargain is that you get these services for free in return for advertisers being able to target you more precisely. And in the vast majority of cases, it is possible to opt out.

The European Data Protection Directive was introduced in 1995 when search engines were just starting out. But it continues to provide a solid protection of your personal data because the underlying principles have not been superseded. In addition, subsequent legislation has made sure your fundamental rights are guaranteed as technology evolves.

So why do people feel such a pressing need for new rules? There is always room for improvement, but we need to be very careful about unintended consequences. For example, reducing the differences between national interpretations of existing rules will make life easier for both people and businesses. However, those rules have been adapted to work alongside other legislation that protects you, such as the unfair commercial practices directive. Changes could introduce overlaps or conflicts and end up reducing, not increasing protection. In the end, the only winners could be the lawyers…

As we move more of our lives online, we will be sharing our personal data with an ever-wider range of organisations and in ways that haven’t been invented yet. If the new rules are going to stand the test of time, they must continue to be based on principles and we must be able to apply them whatever technology is involved.

And just as in our offline lives, common sense is often more effective than rules in protecting our privacy.
Misconception 4: The new law will not have an impact on innovation
Many people imagine that big data, bringing together and analysing large amounts of information, is crushing their rights as individuals. But big data is often your friend. For example, have you ever wondered how credit card companies protect you from fraud? Well, they create a profile of your spending habits, based on how you and others like you have used your cards in the past. These profiles help them predict a pattern of spending behaviour. Any deviation from this pattern triggers an alarm and lets them refuse purchases before they end up on your bill. Of course, fraudsters know about these techniques and try to game the system. Why would we want to help these criminals by preventing credit card companies from processing the data they need to stay one step ahead?

Car manufacturers also use profiling to detect maintenance problems early on, supermarkets to ensure their shelves are stocked with what you want to buy, electricity companies to produce power when you need it, and governments to counter benefit fraud and manage transport infrastructure. Unfortunately, the proposed legislation could severely restrict these positive uses of profiling. We need to exempt legitimate business interests and put the focus solely on practices that risk causing actual harm to individuals.

Similarly, personal data is an invaluable resource for health researchers. Those involved in cancer research are particularly concerned that the more stringent consent provisions in the new legislation will prevent them from assessing populations as a whole or following up properly on past studies. For many people, this could ultimately be a question of life or death.

Europe cannot afford to miss out on the benefits this technology brings. Existing businesses rely on it. The businesses of tomorrow will not exist without it.
Misconception 5: Only European data protection can stop the NSA from spying on us
Wherever you are in the world, some big brother or other is watching you. Governments have long had the authority to obtain data about people and can oblige companies to cooperate with legal requests. However, those companies can protect their customers’ data from unauthorised access.

We want governments to be able to safeguard us from crime and terrorism. But we also want to preserve our fundamental right to privacy. A balance must be struck, but how? National security and law enforcement are not in the scope of the new law. So far, so good: government surveillance and commercial use of data need to be treated separately. However, the supporters of this new law are trying to get round this distinction by using it to forbid companies to collect or process the data that governments are after. The problem is this is also the data companies need to offer people the services they want.

As German Green MEP Jan Albrecht put it, “No EU rules bind the security services.” To restrict their activities, he continued, it is “necessary to limit the amount of data which they can easily access.”

Limiting access to data is far from certain to shrink big brother, but it will no doubt shrink growth in Europe’s digital economy.
Misconception 6: Businesses just want to avoid heavy fines
Supporters of the new law claim that if companies are compliant today they will be compliant tomorrow. The truth is that many areas of uncertainty could upset the delicate eco-system of small businesses, especially those handling data on behalf of larger companies. A major concern is that the same severe sanctions can apply to a company mistakenly failing to respect the rules and one that deliberately sets out to break them. This is scary not just for businesses, but also for charities and political groups.

Legitimate businesses devote a lot of effort to looking after your data with respect. And they often invest significant resources in data management practices, technologies, and security measures that go beyond data protection requirements. So the current lack of punishment for companies that don’t seems more than a little unfair.

Far from wanting reduced penalties under the new legislation, they welcome the prospect of properly dissuasive fines. However, they would like to see flexibility so that data protection authorities can use their discretion to treat deserving cases fairly, but come down hard on flagrant violations.

The new law should make it easier to punish the bad guys, not put the good guys out of business.
When it comes to collecting and handling information about you (i.e. personal data), privacy mainly means that your data should only be collected and used for purposes you agree with.
Personal data
Though the legal definition is more complex, in simple terms this is data related to you as an identifiable individual, such as your name, ID/passport number, and date of birth.
An affirmative action, such as a “yes” reply, required by law if your personal data is to be collected or analysed.
An action taken based on the aggregation of data into specific patterns. For example: customisation of purchase recommendations based on previous purchases or language selection on a website.
Data protection
This refers to measures to ensure your personal data is secured, there are legitimate grounds for collecting and using it, and you understand and control its usage, and it cannot be used in ways which can cause harm.
Data controllers
An organisation or occasionally an individual acting in a professional capacity (for example a dentist), who decides what data are collected and how they are handled. They must ensure that all data processing is in accordance with the applicable law. For example, a hospital is a data controller, its IT providers are the data processors.
Data processors
Data controllers may decide to outsource part of their data processing activities. These companies, or occasionally an individual acting in their professional capacity, processes data on behalf of and according to the instructions of a data controller. Examples include companies handling payroll functions or marketing services.
Data Protection Officer
This is the individual, generally an employee of a data controller or processor, who is responsible for making sure that all data protection obligations are being met.
Data subject
This is you and me: the individual identified, and whose data is processed and rights are protected.
As a specific technique for the de-identification of personal data, pseudonymisation is the process of removing the elements within personal data that point directly to the people concerned (names, identification numbers, etc.) and replacing them with artificial identifiers so no individual can be traced.
Pseudonymous data
Data that does not directly identify you, but combined with other information may allow for such identification. It can be the result of the pseudonymisation process (for example, key-coded health data used for clinical trials), or collected in a form that does not in itself allow identification (for example, many online identifiers).
Open Data
Data freely available for all to use. For example, weather data or public statistics.
Internet of Things
Ubiquitous environments where interconnected objects and machine-to-machine communication can improve various aspects of everyday life, relating to things such as energy consumption, healthcare, and shopping experience.
Must-read sites
Data Saves Lives
Academics, and patient and research organisations from across Europe are concerned that limits on the use of personal data will undermine studies of serious diseases and vulnerable groups.
Visit site
Data Protection Officer: burden for SMEs
Hotels, restaurants, and cafés don’t want compulsory Data Protection Officers, shares HOTREC and UEAPME.
Visit site
Charity begins with people
Fundraisers are worried the new rules mean a data protection blunder could see them losing donors’ trust.
Visit site
Just how big an issue is Big Data?
As the Big Data guru says, “Everyone from your grandma to your CEO needs to have a basic understanding of what it is and why it’s important.”
Visit site
Big Data can be your friend
The benefits of big data can only grow if legitimate interests for businesses and researchers are balanced against individual privacy rights.
Visit site
Your online choices
Straightforward information about how online behavioural advertising affects you in your country.
Visit site
Privacy vs. Progress
This article explores the ethical quandary of big data, and recommends adhering to voluntary guidelines.
Visit site
The Irish Facebook case: it’s complicated
A “Super-right” to Data Protection? This blog looks at the legal implications of the 2014 Irish Facebook case.
Visit site
Real threat to individuals in the new rules?
This blog argues that the new Data Protection Regulation actually reduces protection for individuals.
Visit site
Big Data, big responsibility
A US view that calls for organisations to handle data responsibly and boost trust, because no one “is immune from distrust when Big Data is involved.”
Visit site
Cutting-edge research: The Brussels Privacy Hub
The Brussels Privacy Hub is bringing leading thinkers from around the world to examine data protection issues with policymakers, businesses, and NGOs.
Visit site
Don’t protect the economy from growth
The European Data Coalition worries that the legislation risks slowing gains in productivity and innovation.
Visit site
Reform for SMEs, not at their expense
The ESBA warns MEPs not to let protection hurt growth and jobs.
Visit site
Balance the burden on small business
UEAPME is particularly concerned that the new rules should be technology neutral.
Visit site
The trouble with EU Data Protection Law
This presentation sees the debate as a comedy about a corpse.
Visit site
The age of consent
This presentation looks at the intricacies of explicit consent and purposing.
Visit site
My Health Data – Your Research
Details of the problems for health data in the legislation are explored in this presentation.
Visit site
What others are saying
Disclaimer: This section provides publicly available Position Papers of other stakeholders not necessarily participating in data now and not embracing views presented here
Health & Insurance
Innovation, Technology, Business
Digital Single Market
Media & Consumers