As expected, it took a couple of years until the EU-commission, the European Parliament and the member states finally agreed on a new European Data Protection Regulation (EDPR). And it will apparently take until 2018 for it to become effective. However, it is a welcome development that it has come so far and now seems to be almost done. Almost.

The current Data Protection Directive, which also influences privacy rights and data protection online, was drafted back in 1995 – a time when the Internet was still at the very beginning. Ever since the relevance and application of the internet as a communication medium and hub for public and private data has drastically changed. From personal messages, pictures, and locations, from credit card data, online banking, and health information to a myriad of business-related data, most of society’s daily life as we know it is being processed and stored online. The implications of the internet, its development and its effect on our lives or on data protection directives could hardly been foreseeable 20 years ago. Consequently, many laws and regulations had, and still have, to be adjusted and rewritten in the light of the massive spread in ever-growing relevance of the internet to all aspects of our lives.

One recent example illustrates this in which judges had to make a basic decision of what happens to all the data in a person’s Facebook account when he dies. There are a lots of privacy and data protection implications in this question and yet laws and directives from 1995 can’t really clarify how to answer them from a legal point of view.

At the centre of the current reform stands the goal of giving European internet users more control over their personal data. Among others this includes the so called “right to be forgotten” – which means that a person has to be able to delete their private data from platforms in an easy way. If the person however does not want to delete but rather remove data from one place to another, online portability of personal data is key – so laws on this will be strengthened in the future. As an aside the required age for consenting into processing personal data will be set at 16 and online services need the explicit approval of the user to use their data. Interesting thing to consider who gives consent to the data of the under 16’s. Any parents out there?

For global companies like Google or Facebook the new European Data Protection Regulation brings some important changes. For example, the fact that the moment a user is seen to sit in the EU the rules apply to any online service provider, no matter where they are located. Furthermore, the aim is that users can complain to their own regional authority about any online-related issues independently from the company’s location. This is especially relevant ever since an Austrian had to go to an Irish court to sue Facebook, whose European headquarter is located in Ireland. The fines connected to data protection breaches are set to be a maximum of four percent of the annual turnover – which can be quite demanding for multinationals and therefore is expected to help enforce the new laws.

The reforms mean that companies will have to prepare more thoroughly in order to protect their customers’ and other stakeholders’ sensitive data. However, here another controversy arises: whilst law enforcement agencies from various countries aim to weaken encryption and increase their insight into private data and communications (for reasons of national security) new legislation, privacy groups and corporate lawyers demand more and stronger privacy for data by means of e-mail encryption and secure storage of data; all data.

The result of the new European Data Protection Regulation is accordingly controversial. While almost everyone agrees that it is important and about time that those rules are changed, there are many who say that there is still too much ‘handwriting’ of large corporations and their lobbyists in the Regulation’s text and that the user should get much more power.

What further challenges the new Data Protection Regulation will bring to companies has still to be seen – especially when it comes to companies using cloud-based infrastructures in order to process, exchange and store private data. Now service providers have to react more directly to these new laws and make clear arrangements for them. How fast and to what extent those will happen will be seen in the coming years.

Until then it would be most wise for companies to exchange and store secret and sensitive data with a security first approach, especially where it is most at risk: when in transfer through public networks outside the corporate security framework. By implementation of modern and convenient tools that integrate into their existing IT infrastructure they can send, receive and store encrypted e-mails and large files easily and securely.