Illustration: Lazaro Gamio / Axios

Europe's goal with its strict new privacy regulations is to give consumers more control over their personal information, but some security and privacy experts worry the rules could put the squeeze on some kinds of businesses.

Why it matters: The General Data Protection Regulation (GDPR) imposes strict penalties for improperly collecting or storing user's personal information. But the devil is in virtually every detail, from what actually constitutes personal information to how to define "collect" and "store" — and the resulting confusion could impact everything from criminal investigations to the blockchain industry.

What GDPR is trying to do: GDPR requires global businesses to receive explicit consent to store the personal data of any European citizen and provide a mechanism for users to delete any stored information. It also tightens security practices, including encouraging encryption.

  • In the worst case, the EU will fine businesses 4% of global revenue, or a minimum of €20 million.

Where the problems begin: Personal information can be anything from the obvious (names, addresses, credit card information) to some more obscure pieces of data (users' internet addresses). But the law didn't foresee many of the instances where the public interest might be served by technology that doesn't follow its privacy rules.

Blockchain is one.

  • Blockchain, the public ledger at the heart of Bitcoin that is now being used for a variety of other purposes, may not be compatible with GDPR.
  • Laura Jehl, who heads both the GDPR and blockchain practices at the law firm BakerHostetler, notes that entries on a blockchain are theoretically indelible, but the pseudonymous ID codes used in blockchain may count as personal information that users would have the right to delete.
  • Bitcoin itself is likely exempt from the rule, she said, as Bitcoin lacks a definitive person or company in charge. But other types of blockchains with more definitive ownership would qualify.
  • "It’s strange, because blockchain is another way to approach the same problem" that GDPR addresses, she said.

The WHOIS database is another.

  • The WHOIS database, the internet's long-running public record of who owns which domain, is facing a likely shutdown with GDPR's advent. Many security professionals believe this will devastate their ability to fight cyber crime.
  • “To give you a sense of the scale here, just at IBM alone using WHOIS data we identify 1.3 million malicious domains per month that we share with the security industry to block spam and break up cybercrime campaigns. Without WHOIS data, our analysis found it might take over 30 days to detect malicious domains via other methods," said Caleb Barlow, vice president of threat intelligence at IBM security, via email.

Smaller firms may not be ready: Large U.S. firms have kept their eye on GDPR for some time — 4% of revenue is a lot — but smaller firms are in for some rude surprises.

  • "Very large orgs aware of international presence are in pretty good shape," said April Doss, chair of the cybersecurity and privacy practice at Saul Ewing Arnstein & Lehr. "But midsize entities that think of themselves as primarily U.S. businesses are less prepared."

Prepare to lose EU members on skittish platforms: WarpPortal, makers of the game Ragnarok Online posted a note last week it would simply stop serving EU customers once GDPR kicked in. Other services are likely to follow.

Whispers U.S. firms will be in the crosshairs: U.S. based privacy personnel have a nagging suspicion that the first firms in regulator's crosshairs will be in the U.S., to put a head on a pike. "It's going to be Facebook, right?" asked one expert I spoke to.

Go deeper

Updated 1 min ago - Politics & Policy

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Global: Total confirmed cases as of 7 a.m. ET: 12,739,269 — Total deaths: 565,704 — Total recoveries — 7,021,460Map.
  2. U.S.: Total confirmed cases as of 7 a.m. ET: 3,247,782 — Total deaths: 134,815 — Total recoveries: 995,576 — Total tested: 39,553,395Map.
  3. Politics: Trump wears face mask in public for first time.
  4. Public health: Fauci hasn't briefed Trump on the coronavirus pandemic in at least two months — We're losing the war on the coronavirus.
  5. States: Louisiana governor issues face mask mandate.
  6. World: India reimposes lockdowns as coronavirus cases soar.

Biden's doctrine: Erase Trump, re-embrace the world

Photo illustration: Sarah Grillo/Axios. Photo: Bastiaan Slabbers/NurPhoto, and Bastiaan Slabbers/NurPhoto via Getty Images

Foreign policy will look drastically different if Joe Biden defeats President Trump in November, advisers tell Axios — starting with a Day One announcement that the U.S. is re-entering the Paris Climate Agreement and new global coordination of the coronavirus response.

The big picture: If Trump's presidency started the "America First" era of withdrawal from global alliances, Biden's team says his presidency would be the opposite: a re-engagement with the world and an effort to rebuild those alliances — fast.

Robert Mueller speaks out on Roger Stone commutation

Former Special Counsel Robert Mueller testifies before the House Permanent Select Committee on Intelligence on Capitol Hill on Wednesday July 24, 2019. Photo: The Washington Post / Contributor

Former special counsel Robert Mueller responded to claims from President Trump and his allies that Roger Stone was a "victim" in the Justice Department's investigation into Russian interference in the 2016 election, writing in a Washington Post op-ed published Saturday: "He remains a convicted felon, and rightly so."

Why it matters: The rare public comments by Mueller come on the heels of President Trump's move to commute the sentence of his longtime associate, who was sentenced in February to 40 months in prison for crimes stemming from the Russia investigation. The controversial decision brought an abrupt end to the possibility of Stone spending time behind bars.