Physical Address

304 North Cardinal St.
Dorchester Center, MA 02124

Explained: How does online data protection work in the EU

We take an in-depth look at what personal data is and how it is collected in the EU.

In early 2023, the European Union’s top three institutions banned TikTok from staff devices.
Governments from the United States to the United Kingdom – and countries across Europe – quickly followed suit. The reason? Growing concerns about data collection.
In Europe alone, there are an estimated 150 million TikTok users. In return for using the platform, those users provide a lot of personal data. Western governments have grown increasingly worried about the potential for that data to be accessed by the Chinese government. 
Despite Beijing rebutting the accusations, lawmakers remain sceptical.
But, it’s not only TikTok that collects data – and the issues with data collection arrived long before the rise of the popular social media platform. All across the Internet, vast amounts of consumers’ personal data can be harvested from our search history, browser preferences, and the information we input.
Here, we take a look at what this means for you as a digital consumer and what the European Union is doing to protect your data. 
Personal data includes details like a person’s name, age, or email address among other things, and can be used to identify an individual.
This data can be made “pseudonymous” – meaning that all explicit personal data is removed to make it harder to identify a person – or “anonymous” – where all personal identifiers are removed so that an individual can no longer be identified.
There are many ways in which data can be collected online, whether through IP addresses, navigation data, cookies, or information we provide when filling out forms.
We also give away lots of data through social media, by “liking” or reacting to posts. Actions like these can reveal sensitive data, without us even realising.
This type of data, which could include things such as your sexual orientation, health data, political or religious affiliations, or data that reveals your race or ethnicity, is considered sensitive because revealing it can lead to harassment, discrimination, or even identity theft.
It is this sensitive data that is often the focus of concerns about data collection and the danger of potential leaks.
Collecting data is nothing new. However, the way in which data is collected online is. Today an unprecedented amount of data is collected and stored. 
In the digital age, our data makes up an increasingly important part of the digital economy; in the EU alone, data accounts for almost 3.6 per cent of the bloc’s GDP and, according to an EU report, is projected to reach a value of just under €1 trillion by 2030.
While the idea of data collection can seem somewhat worrying, it’s not all bad. The increase in personal data collection can have enormous benefits for consumers, with data used for everything from banking to healthcare. For example, the more data collected on patients’ past illnesses and treatments, the more doctors can understand about their health now and be able to find solutions. 
Though beneficial in many ways, the speed at which the digital economy has grown in recent years has made monitoring difficult for lawmakers. 
“Data is power. It is just the instruments that give [one] access to a lot of other rights – the access to target people, to provide content, to censor some content, not to show content to some people, to influence their political behaviour,” says Romain Robert, program director at European digital rights non-profit NOYB. 
One of the most infamous examples of the power of data was the 2018 Facebook-Cambridge Analytica scandal when it emerged that the American social media giant had facilitated the collection of the personal data of up to 87 million people by the British political consultancy firm.
This data, which was collected without the users’ consent, was used by the firm to profile and target voters on behalf of former US president Donald Trump during his successful US presidential campaign in 2016. 
The scandal acted as a wake-up call for policymakers who realised the potential dangers posed to democracy and human rights by unregulated data collection.  
The EU brought in the General Data Protection Regulation (GDPR) in May 2018, the bloc’s first major data privacy and security law for the modern digital age. Believed to be the toughest privacy law in the world, the GDPR is legally binding across the 27 different European states. It also applies to any organisation that collects data on EU citizens, even if it’s not based in the union. 
The protection of data is underlined in the GDPR as a fundamental right. Personal data must therefore be protected and used in a ‘fair and legal’ way, meaning that it should be collected for a specified purpose and with the subject’s consent. A subject also has the right to access their data and to change anything that is wrongly recorded.
Organisations must also stick to seven principles or risk paying huge fines. Since the rules came into force five years ago, Google, Amazon, and Meta, among others, have all been fined millions for breaches. The largest to date was Amazon’s €746 million in 2021 for failing to comply with the GDPR.
Despite being the world’s strongest data law, the EU decided the GDPR needed to go further. Policymakers have now brought in the Digital Services Act package, which combines two separate acts: the Digital Services Act (DSA) and the Digital Market Act (DMA).
The DSA will protect users by giving them more control over what they see online, such as targeted advertising, and help to limit the proliferation of illegal or harmful content. The DMA focuses more on boosting the digital economy by helping smaller digital companies to compete against larger ones.
By adding the package, the EU hopes to strengthen the now five-year-old GDPR.
Enforcing such tough laws though is tricky. Across the EU states, there are 27 national data protection authorities (DPAs) for each country. The DPAs work together within the European Data Protection Board (EDPB) and are managed by the European Data Protection Supervisor in Brussels. 
“It’s super complicated to enforce the GDPR in a cross-country case involving more than two or three countries. Even the Commission recognises that enforcement is an issue,” says Robert. To address these flaws, the EU Commission is bringing in new rules in summer 2023. 
Yet overall, the GDPR has made a huge improvement to personal data safety across the EU. With companies now – for the most part – following the new rules, citizens can rest assured that their digital rights are better protected than anywhere else in the world.
To understand more about how to exercise your rights under the GDPR, watch our video above.
Video editor • Matthew Ashe
Additional sources • Motion Designer: Matthew Ashe Executive Producer: Thomas Duthois

en_USEnglish