There is a growing realization that our data is under attack. From breaches at Equifax to Cambridge Analytica’s misuse of the profile information of more than 87 million Facebook users, it seems as if none of our personal data is safe. And more and more about us is being captured, stored and processed by smart devices like thermostats, baby monitors, WiFi-connected streetlights and traffic sensors.

In the United States, people who are concerned are looking to Europe. They see Europe’s “right to be forgotten,” by which citizens can force companies to erase some of their personal data, as a step toward regaining ownership of their online selves. And on May 25, the European Union will bring into force the most sweeping regulation ever of what can be done with people’s data.

This law, the General Data Protection Regulation, will give citizens greater control over their data while requiring those who process personal data in the European Union or about its citizens to take responsibility for its protection. The G.D.P.R. will give Europeans the right to data portability (allowing people, for example, to take their data from one social network to another) and the right not to be subject to decisions based on automated data processing (prohibiting, for example, the use of an algorithm to reject applicants for jobs or loans). Advocates seem to believe that the new law could replace a corporate-controlled internet with a digital democracy.

There’s just one problem: No one understands the G.D.P.R.

The law is staggeringly complex. After three years of intense lobbying and contentious negotiation, the European Parliament published a draft, which then received some 4,000 amendment proposals, a reflection of the divergent interests at stake. Corporations, governments and academic institutions all process personal data, but they use it for different purposes.