Europe Passes Tough New Data Protection Laws
Companies violating the new legislation, which includes a “right to be forgotten” clause, can now be fined up to 4 percent of their overall global revenue.
The European Union on Thursday approved new data protection rules aimed at strengthening online privacy for Europe's 500 million citizens.
The legislation, more than four years in the making, will replace a patchwork of national rules and be adopted by the bloc's 28 member states over the next two years, coming into force in 2018.
Part of the legislation includes a “right to be forgotten” clause, allowing for consumers to demand firms such as Google or Facebook to delete non-essential information on them. This is unlikely to extend to news articles people want removed, which will likely be protected under freedom of expression rules.
Companies that violate the law can be fined up to 4 percent of their overall global revenue or €20 million ($22.7 million), whichever is greater. Given the size of some internet companies that could be impacted by the law, fines could potentially reach into the billions of dollars.
The new law requires companies to report data breaches within 72 hours, a regulation businesses may find hard to comply with.
The rules also state that individuals must give their “clear and affirmative consent” before companies, or governments, can process their private data. This is a potentially contentious part of the new law, as the U.S. government wants to continue scooping up European data which it says is needed in the fight against terrorism.
The new rules do allow for the streamlining of data transfers for policing and judicial purposes, which is aimed at improving security in the wake of the recent terrorist attacks in Paris and Brussels.
Speaking about the new law, European Parliament president Martin Schulz welcomed the new legislation as “crucial steps” in the digital age, adding that “the security of European citizens should never be ensured at the expense of their rights and freedoms."