European Commission and European Parliament officials last week agreed on a new set of data protection laws, intended to strengthen individuals’ privacy rights and create a more consistent set of regulations across the twenty-eight European Union member countries.
According to a press release from the European Parliament,
“The new rules will replace the EU’s current data protection laws which date from 1995, when the internet was still in its infancy, and give citizens more control over their own private information in a digitised world of smart phones, social media, internet banking and global transfers. At the same time they aim to ensure clarity and legal certainty for businesses, so as to boost innovation and the further development of the digital single market.”
Highlights of the new rules include provisions addressing:
- Clear and affirmative consent to the processing of private data. Consumers will have more control over their private information, as consent must be manifested through some action clearly indicating acceptance of data processing. Silence can not constitute consent.
- Plain language. The new rules prohibit “small print” privacy policies. Information must be given in clear language before data are collected.
- Parental consent for children on social media below a certain age. Member states will set their own age limits for the consent requirement, but the limit must be between 13 and 16 years.
- The right to be forgotten. This right, which will now be codified in the regulations, allows individuals to request that their personal information be deleted from the databases of companies holding it, provided there are no legitimate grounds for retaining it.
- Breach notification. Companies will be required to inform national regulators within three days of any reported data breach.
- Fines for violations of the regulations. Regulators may issue fines of up to 4% of companies’ total worldwide revenue for misuse of consumers’ online data, including obtaining information without consent.
- Coordination among Data Protection Authorities. Cooperation among the national DPAs will be significantly strengthened to ensure consistency and oversight.
Importantly for those of us based in the United States, the new rules will extend to any company that has customers in the EU, even if the company is based elsewhere. The EU’s strict stance on privacy has often put their regulators at odds with American companies, which collect and mine data from social media and other web sites for purposes of advertising. But the tough EU privacy laws reflect a fundamental cultural difference between the U.S. and Europe when it comes to individual privacy; Eurpoeans view their right to data privacy as strongly as Americans view their constitutional right to freedom of speech.
The full Parliament will vote on the new regulations in the spring of 2016, and then member states will have two years to implement the provisions.