Europeans just won the right to decide when their data is collected, how it is used, and how long it is kept under new rules that fine companies—including those in the US—that fail to heed them. Although privacy advocates welcomed the regulations, they caution that loopholes could undermine them.

The European Parliament approved the General Data Protection Regulation rules on Thursday. The legislation applies to any company with customers in the European Union, and violating them could cost a firm as much as 4 percent of its worldwide revenue.

The new rules include the right to have your personal information deleted from a company's database, the right to transfer your data from one company to another, and the right to know when your data has been compromised. The rules also require companies to receive your "affirmative consent" before collecting and storing your data. Burying an agreement in fine print or merely providing an opt-out option isn't enough.

One of the most significant sections concerns the use of data "profiling"—using personal data to make predictions about your economic status, location, health and preferences without your permission.

An Imperfect Balance

Business groups aren't jazzed by the rules. The European technology industry trade group DigitalEurope has long criticized the legislation, arguing it covers too many types of data and fails by failing to make meaningful distinctions between things like a person's name and country of origin and far more sensitive data like medical records and voting history.

"While we continue to believe that the final text fails to strike the right balance between protecting citizens' fundamental rights to privacy and the ability for businesses in Europe to become more competitive, it is now time to be pragmatic. DigitalEurope stands ready to make the new legal framework for data protection in Europe work," DigitalEurope director general John Higgins said in a statement.

Work in Progress

Privacy advocates, meanwhile, mostly welcomed the new rules. "It will improve transparency and certainty, and empower individuals," Estelle Massé and Lucie Krahulcova, policy analysts at the advocacy group Access Now, wrote in a blog post on Thursday. But the two explained their reservations about the rules in a blog post last December.

The rules allow private companies to collect personal data for "legitimate interests," they write, a potential loophole that must be addressed. They also note that governments and law enforcement retain great leeway in collecting data through provisions that allow data collection for national security purposes. And there are 30 cases in which individual EU member countries can interpret the rules as they see fit, leaving quite a bit of uncertainty in how the rules will be enforced. Individual countries have just over two years to finalize their implementations of the rules.

Privacy advocates and EU citizens alike claim that the new rules will benefit business by making the law more clear and consistent across all EU countries. But the loopholes could add a layer of legal fog that leaves everyone unhappy. Lawmakers have their work cut out of them.