Depending on whom you talk to, the footprint you leave online, whether it is the websites you visit or the emails you send, is essentially private and shouldn’t get in the hands of advertisers or anyone else. But to others, that history is merely business—data that can be used by companies to tailor ads to users.

At SXSW’s “A Game-Changing Shift in Control of Personal Data” panelists Nicky Hickman, founder and CEO of the U.K.-based Inglis Jane, Karen McCabe, senior director of technology policy and international affairs at the IEEE Standards Association, and Doc Searls, senior editor of Linux Journal and director of ProjectVRM at Harvard University, discussed the concept of data control in Europe’s new digital economy, where people set the terms of how their information is used.

In 2016, Europe adopted the General Data Protection Regulation, or GDPR. The measure, set to become enforceable in May 2018, requires businesses to follow regulations designed to safeguard user information.

A hot word in the discussion, Searls said, is “agency,” or the power people have to act with full effect in the world. Referring to websites that require visitors to accept terms and conditions concerning use of information, the Linux editor said the GDPR could give users the chance to turn around agreements so that companies “have to check yes to us.”

Hickman alluded to concern over how enforceable the GDPR will be and how businesses can comply with its standards. The regulation requires businesses to provide “reasonable” levels of protection of personal data, though it doesn’t define the term.

However, she said the GDPR could “change the economy” and possibly “end the online feudal system.”