LISTEN LIVE KPR - On Air: Listen Live to classical, jazz and NPR news Schedule LATEST
KPR 2 - On Air: Listen live to KPR's all talk-radio service, KPR2 Recordings

Share this page              

3 Things You Should Know About Europe's Sweeping New Data Privacy Law

Listen to the Story

Biometric data is considered a special category requiring explicit consent under the EU's new General Data Protection Regulation law, which goes into effect Friday.

The U.S. takes credit for creating the Internet, and the European Union seems determined to govern it. On Friday, a sweeping new directive goes into effect called the General Data Protection Regulation, or GDPR. Taken together, its 99 articles represent the biggest ever change to data privacy laws. The new rules have implications for U.S. Internet users too.

Here are answers to three questions you might have about the new law and its potential impacts.

What is GDPR?

It's a new law that protects residents of the EU — people living there, including Americans. (If you're a European and live in the U.S., you're not protected.) Under GDPR, all companies that have an Internet presence — including large American companies like Google, Microsoft and Facebook — have to comply.

At the most basic level, GDPR expands what counts as personal data and your rights over that data. Your data is, for example, what you post on social media, your electronic medical records and your mailing address. It's also your IP address (a string of numbers that's unique to your smartphone or laptop), as well as GPS location.

The directive says people have to give permission for a company to collect their data. A company can't just sign you up without explicitly asking. And the more personal the data — say, biometrics, which is considered a special category under the law — the ask must be even more clear.

Europeans have a right to have their data deleted if they don't want a company to keep it. Companies have to delete the data without undue delay, or face a penalty.

I live in the U.S. How does it impact me?

If you're American, you're probably getting a lot of emails and push notifications from your apps and maybe even newsletters you forgot you signed up for. For example, new privacy notices from Spotify and eBay say you can request to delete personal data they've stored.

"But there's nothing binding about it," says attorney Michael R. Cohen, who is based in Minneapolis. "In the U.S., the business model is pretty much, companies can do what they want, so long as there isn't a specific law prohibiting it." The U.S. has laws protecting data privacy for health and financial records, and and for children. "Other than that, we're pretty much the Wild West," Cohen says.

That's how as many as 87 million Facebook users had their profiles land in the hands of a political operative. Last month, in testimony before Congress, Facebook CEO Mark Zuckerberg said he'd give Americans all the same controls Europeans have.

"We believe that everyone around the world deserves good privacy controls. We've had a lot of these controls in place for years. The GDPR requires us to do a few more things, and we're going to extend that to the world," he said.

In reality, Zuckerberg isn't offering the same protections. For Facebook users, there is a big difference between Europe and the U.S. when it comes to what is collected by default. In Europe, Facebook has to get permission to do facial recognition — and it's not the default setting. But in the U.S., it is. American users have to click through screens to opt out.

Will the new law hurt businesses that rely on data collection?

That is a key debate right now. One side argues that GDPR will be terrible for competition, giving big businesses a leg up over small ones. Small companies won't be able to afford the millions of dollars in expenses that come with managing and protecting data. So they won't survive.

Another camp argues that consumers don't trust businesses on the Internet anymore anyway (as evidenced by the rise of ad blockers). If that's the real problem, the laws will make a difference by making businesses think more deeply about what data they collect and why, and GDPR may improve the quality of the Internet.

But it's too early now and this is all a guessing game at this point.

Copyright 2018 NPR. To see more, visit

Tower Frequencies

91.5 FM KANU Lawrence, Topeka, Kansas City
96.1 FM K241AR Lawrence (KPR2)
89.7 FM KANH Emporia
99.5 FM K258BT Manhattan
97.9 FM K250AY Manhattan (KPR2)
91.3 FM  KANV Junction City, Olsburg
89.9 FM K210CR Atchison
90.3 FM KANQ Chanute

See the Coverage Map for more details

Contact Us

Kansas Public Radio
1120 West 11th Street
Lawrence, KS 66044
Download Map
785-864-4530 (Main Line)
888-577-5268 (Toll Free)