EU gives companies two years to comply with sweeping new privacy laws

Billion-dollar fines, a stronger right to be forgotten, and no Facebook for pre-teens are among the biggest changes

Companies could face massive fines in 25 European Union countries if they mishandle citizens' personal information, under a new privacy law due to take effect in 2018.

New age restrictions will mean no more Facebook or other social media for European pre-teens.

Today, fines for violations of EU data protection rules are typically limited to a few tens of thousands of euros, or hundreds of thousands in exceptional cases. That's hardly enough to upset companies such as Facebook or Google, which both reported billions of dollars in net income last year.

From 2018, though, data protection authorities will be able to impose fines of up to 4 percent of a company's worldwide revenue for breaches of the new privacy rules approved by the European Parliament on Thursday afternoon. For Google, the fine itself could now be in the billions of dollars. 

The new General Data Protection Regulation (GDPR) also enshrines and extends the "right to be forgotten" created by a ruling of the Court of Justice of the EU in 2014. Where the court merely ordered search engines to make it difficult to discover certain kinds of personal information on request from the subject, the new regulation will enable EU citizens to request that companies entirely delete data concerning them.

Exceptions allow companies to retain data for historical, statistical, scientific, and public health purposes, to exercise their right to freedom of expression, or where required by law or to fulfill a contract.

Citizens also gain the right to move their data from one company to another -- so switching email providers will be easier -- and rules on obtaining consent to collect of personal information are reinforced. Pre-checked boxes or systems that require people to opt out of data collection will no longer be allowed.

Jan Philipp Albrecht, Parliament's rapporteur for the new law, said the GDPR represents four years' work by legislators.

It replaces the 1995 Data Protection Directive, introduced years before companies such as Google and Facebook were even founded. Directives are first transposed into national law, often resulting in variations in rules between countries, whereas EU regulations such as the GDPR are directly applicable in the EU member states.

The new rules, then, should be uniform throughout the EU and adapted to the Internet age, making it simpler for companies operating across European borders, online and off, to comply.

There are a couple of glitches in this perfect picture, though.

Three states, Denmark, Ireland and the U.K., have negotiated exemptions from EU home affairs and justice legislation, so the new rules will apply only partially in the U.K. and Ireland, while Denmark has six months to decide whether to adopt the new rules or reject them in their entirety.

Other national variations will exist in rules governing the age at which children can consent to the storage of their personal information: It will range from 13 to 16 years depending on countries' existing legislation. Whatever the country, though, it will mean no Facebook or other social media accounts for pre-teens across Europe.

The second glitch is that the GDPR doesn't cover all kinds of data: Another piece of legislation, the 2002 e-privacy directive, covers information exchanged through electronic communications services such as fixed and mobile phone networks, and there are inconsistencies between that directive and the new data protection rules. The European Commission is aware of this, and on Monday opened a three-month public consultation on how this needs to change.

The GSM Association, a trade body for mobile networks, welcomed the arrival of the new rules and called on the Commission to use the consultation to address the inconsistencies between the GDPR and the existing e-privacy directive.

"Consumers should be able to enjoy consistent privacy standards and experiences, irrespective of the technologies, infrastructure, business models and data flows involved or where a company may be located," said GSMA Chief Regulatory Officer John Giusti.

He cautioned that too much privacy would be bad for business: "The right balance needs to be struck between protecting confidentiality of communications and fostering a market where innovation and investment will flourish."

John Higgins, director-general of IT industry lobby group Digital Europe, also warned that privacy has a cost.

"While we continue to believe that the final text fails to strike the right balance between protecting citizens' fundamental rights to privacy and the ability for businesses in Europe to become more competitive, it is now time to be pragmatic," he said via email.

National differences in implementation are also a danger for those doing business entirely online, and threaten the EU's plans for a digital single market.

"If Europe fails to properly implement the GDPR across all 28 EU Member States, this could render the digital single market incoherent," he said.

Joe McNamee, executive director of campaign group European Digital Rights (EDRi), said the business lobby had already removed much of what legislators put in the original data protection package, but "the essence" had been saved.

Approval of the GDPR makes a moving target of EU data protection law for officials working on the Privacy Shield, a legal mechanism allowing companies to guarantee compliance with EU privacy rules when exporting citizens' personal information to the U.S. for processing.

On Wednesday EU data protection authorities called for a revision mechanism to be added to the draft Privacy Shield agreement to take into account future rules changes, including those now due to take effect in 2018.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Peter Sayer

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?