EU gives companies two years to comply with sweeping new privacy laws

Billion-dollar fines, a stronger right to be forgotten, and no Facebook for pre-teens are among the biggest changes

Companies could face massive fines in 25 European Union countries if they mishandle citizens' personal information, under a new privacy law due to take effect in 2018.

New age restrictions will mean no more Facebook or other social media for European pre-teens.

Today, fines for violations of EU data protection rules are typically limited to a few tens of thousands of euros, or hundreds of thousands in exceptional cases. That's hardly enough to upset companies such as Facebook or Google, which both reported billions of dollars in net income last year.

From 2018, though, data protection authorities will be able to impose fines of up to 4 percent of a company's worldwide revenue for breaches of the new privacy rules approved by the European Parliament on Thursday afternoon. For Google, the fine itself could now be in the billions of dollars. 

The new General Data Protection Regulation (GDPR) also enshrines and extends the "right to be forgotten" created by a ruling of the Court of Justice of the EU in 2014. Where the court merely ordered search engines to make it difficult to discover certain kinds of personal information on request from the subject, the new regulation will enable EU citizens to request that companies entirely delete data concerning them.

Exceptions allow companies to retain data for historical, statistical, scientific, and public health purposes, to exercise their right to freedom of expression, or where required by law or to fulfill a contract.

Citizens also gain the right to move their data from one company to another -- so switching email providers will be easier -- and rules on obtaining consent to collect of personal information are reinforced. Pre-checked boxes or systems that require people to opt out of data collection will no longer be allowed.

Jan Philipp Albrecht, Parliament's rapporteur for the new law, said the GDPR represents four years' work by legislators.

It replaces the 1995 Data Protection Directive, introduced years before companies such as Google and Facebook were even founded. Directives are first transposed into national law, often resulting in variations in rules between countries, whereas EU regulations such as the GDPR are directly applicable in the EU member states.

The new rules, then, should be uniform throughout the EU and adapted to the Internet age, making it simpler for companies operating across European borders, online and off, to comply.

There are a couple of glitches in this perfect picture, though.

Three states, Denmark, Ireland and the U.K., have negotiated exemptions from EU home affairs and justice legislation, so the new rules will apply only partially in the U.K. and Ireland, while Denmark has six months to decide whether to adopt the new rules or reject them in their entirety.

Other national variations will exist in rules governing the age at which children can consent to the storage of their personal information: It will range from 13 to 16 years depending on countries' existing legislation. Whatever the country, though, it will mean no Facebook or other social media accounts for pre-teens across Europe.

The second glitch is that the GDPR doesn't cover all kinds of data: Another piece of legislation, the 2002 e-privacy directive, covers information exchanged through electronic communications services such as fixed and mobile phone networks, and there are inconsistencies between that directive and the new data protection rules. The European Commission is aware of this, and on Monday opened a three-month public consultation on how this needs to change.

The GSM Association, a trade body for mobile networks, welcomed the arrival of the new rules and called on the Commission to use the consultation to address the inconsistencies between the GDPR and the existing e-privacy directive.

"Consumers should be able to enjoy consistent privacy standards and experiences, irrespective of the technologies, infrastructure, business models and data flows involved or where a company may be located," said GSMA Chief Regulatory Officer John Giusti.

He cautioned that too much privacy would be bad for business: "The right balance needs to be struck between protecting confidentiality of communications and fostering a market where innovation and investment will flourish."

John Higgins, director-general of IT industry lobby group Digital Europe, also warned that privacy has a cost.

"While we continue to believe that the final text fails to strike the right balance between protecting citizens' fundamental rights to privacy and the ability for businesses in Europe to become more competitive, it is now time to be pragmatic," he said via email.

National differences in implementation are also a danger for those doing business entirely online, and threaten the EU's plans for a digital single market.

"If Europe fails to properly implement the GDPR across all 28 EU Member States, this could render the digital single market incoherent," he said.

Joe McNamee, executive director of campaign group European Digital Rights (EDRi), said the business lobby had already removed much of what legislators put in the original data protection package, but "the essence" had been saved.

Approval of the GDPR makes a moving target of EU data protection law for officials working on the Privacy Shield, a legal mechanism allowing companies to guarantee compliance with EU privacy rules when exporting citizens' personal information to the U.S. for processing.

On Wednesday EU data protection authorities called for a revision mechanism to be added to the draft Privacy Shield agreement to take into account future rules changes, including those now due to take effect in 2018.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Peter Sayer

IDG News Service
Show Comments



Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?