(Brussels, June 6, 2018) – The new European Union General Data Protection Regulation (GDPR) will enhance privacy and should spur other countries to improve protection of people’s personal information, Human Rights Watch said in a question and answer document released today. The document summarizes key portions of the EU law and discusses what comes next.

“In the digital age, so much of what we do generates data that can reveal intimate details of our lives, thoughts, and beliefs,” said Cynthia Wong, senior internet researcher at Human Rights Watch. “The GDPR is hardly perfect, but it strengthens protections for privacy in the EU and shows that strong safeguards for data are both possible and good for human rights.”

As of May 25, 2018, the new rules are legally binding across the EU’s 28 Member States. The law, agreed upon in 2016, is one of the strongest and most comprehensive attempts globally to regulate the collection and use of personal data by both governments and the private sector. If robustly implemented and enforced, it can bolster the right to privacy in Europe and serve as a useful model for countries such as the United States that have comparatively weak protections for personal data.

The regulation requires government agencies and companies such as Facebook and Google to obtain genuine and informed consent before they collect data, and to clearly explain how they will use, share, and store it. Internet users have the right to ask companies and other organizations what personal data they hold, request corrections, and withdraw consent for their data’s continued use. People can bring complaints about data misuse to national data protection regulators, who can investigate and impose penalties for violations.

Public and private entities must promptly report data breaches, build privacy safeguards into their systems – known as “privacy by design” – and allow people to download their data so they can easily switch service providers if they choose. People can also appeal decisions based on algorithmic or automated decision-making and profiling by requesting human review. Such a review would provide safeguards against discrimination if algorithms are used to determine, for example, eligibility for public benefits, insurance, credit, or employment.

The new EU rules contain some shortcomings and limitations. Many provisions include vague, undefined, or potentially overly permissive terms. For example, governments and companies may obtain and process data without consent if their “legitimate interests” outweigh a person’s rights and freedoms. The regulation’s permissible legitimate interests are either not well defined or broadly drawn, which could create significant loopholes.

Regulators and courts will need to work vigilantly to make sure that governments and corporations do not try to exploit ambiguities in violation of rights. In addition, the regulations will not curtail large-scale government surveillance as they allow government processing of data without consent for undefined “national security” and “public security” reasons.

Data protection laws are critically important for human rights in the digital age, Human Rights Watch said. Many countries around the world have few, if any, such protections. Recent scandals involving Facebook and Cambridge Analytica and public concern about digital data breaches, targeted advertising, and unchecked private sector profiling have driven calls for greater controls over how personal data is collected and used.

Governments and companies are increasingly amassing large pools of data on our private lives and using it to make important decisions that affect us,” Wong said. “Governments should regulate how this information is handled so that it is less vulnerable to abuse by governments, companies, or crooks.”