EU data policy reflects its cyber-strategy

Editor's note: The European Union's "strictest-ever" General Data Protection Regulation came into effect on May 25. While the GDPR is aimed at protecting people's private information, it has also sparked a debate on whether it will curb the progress of information technology enterprises in the EU. Two experts share their views on the issue with China Daily's Zhang Zhouxiang. Excerpts follow:

Regulation comes with disadvantages

Lu Chuanying, an associate researcher at Shanghai Institutes for International Studies

The GDPR has strict, detailed rules for the collection, storage, usage, transfer, as well as disposal of personal data, and covers the entire business process of both online and brick-and-mortar enterprises. It is thus fair to say the GDPR reflects the strategic purpose of the EU in cyberspace.

For long, the EU has relied on the United States for cybersecurity and the development of its digital economy. But now that the EU has set standards for cyberspace activities, its say in cyberspace-related affairs on the global stage could increase. More important, the EU's specific standards could even influence global cyberspace.

However, in the long run, the GDPR may not be risk-free.

First, the regulation will increase the cost of collecting and using data for enterprises. And while giant IT enterprises may be able to shift the cost to their customers, many small and medium-sized enterprises (SMEs) could be forced to wind up. In particular, startup enterprises will suffer. Besides, the fact that the EU has only a few IT enterprises with global influence could leave it at a disadvantage in global competition.

Second, digital economy relies heavily on the collection of big data from users for analysis. And the EU's strict regulation will, to a large extent, block this path and could change the business mode of the digital economy as a whole.

And third, the EU evaluates other economies and regions using its own standards and has now set very complicated legal procedures for those that fail to meet them. In response, some countries and regions could take countermeasures by limiting their data transfer to the EU and thus isolate the bloc. The worst victims in such a case would be ordinary netizens.

Since there is no absolute privacy in cyberspace, authorities should use a balanced regulatory policy so as not to hurt their own economies. Only time will tell whether the GDPR is a balanced or extreme policy.

Balancing the protection and free flow of data

Liu Quan, a senior researcher in cybersecurity at the China Center for Information Industry Development affiliated to the Ministry of Industry and Information Technology

Most of the media reports say the GDPR clearly defines the duties of companies that collect and store data, but few have noticed that it also grants individuals new rights, such as access to their data, the "right to be forgotten" (replacing a more limited right of erasure), and the right to refuse any automatic decision-making. By strengthening these rights, the EU aims to better protect human rights.

The EU hopes to minimize the possible negative effects on IT enterprises operating in Europe. A major obstacle between IT giants and SMEs is that the former often have big data storage which helps them to analyze and make correct decisions, while the data pools of the latter are too small to help. Certain clauses of the GDPR are aimed at facilitating data flow between them and thus remove this obstacle.

But it remains a challenge for the EU to strike the right balance between protection of personal data and free flow of data. Thanks to growing internet awareness across the world, an increasing number of people today consider the protection of personal data very important. For example, according to an Accenture survey conducted sometimes earlier, about 63 percent of the respondents in Britain were unwilling to accept open banking services, and their prime worry was leak of personal data.

Hopefully, the EU will address this problem by implementing and improving the GDPR. After all, digital prosperity should be combined with better protection of citizens' rights.