EU Steps Closer to Adopting Data Privacy Rules

Privacy advocates see the rules as a model for the rest of the world but tech firms fear harm to their businesses.
Katie Kuehner-HebertDecember 16, 2015

The European Union has taken a major step toward adopting new bloc-wide data privacy laws that give consumers more control over how their data is used and retained.

After nearly four years of negotiation, EU officials agreed Tuesday on a final text of the laws, which would impose hefty penalties on tech companies for privacy violations.

The text of the General Data Protection Regulation, which governs the use and privacy of EU citizens’ data, and the Data Protection Directive, which governs the use of EU citizens’ data by law enforcement, must be definitively approved by the European Parliament and EU governments before going into effect in two years’ time.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

Jan Philipp Albrecht, the parliament’s chief negotiator, said  “firms breaching EU data protection rules could be fined as much as 4% of annual turnover,” amounting to “billions” for global Internet companies in particular.

As the Wall Street Journal reports, privacy advocates hope Europe will become a model for the rest of the world, while some tech executives say the EU’s new rules will hobble their businesses.

“For the first time, a law is trying to put extensive limits around the pervasive generation of data that happens now by default,” Eduardo Ustaran, a privacy lawyer for Hogan Lovells who works with U.S. tech firms, told WSJ. “Because business in general is becoming more data-dependent, every business will be affected.”

Under the rules, companies would not be allowed to divulge information that they have received for a particular purpose without the permission of the person concerned, and  consumers will have to give explicit consent to the use of their data.

Politico noted that the new rules make both data controllers and processors liable for data breaches in the EU.

Companies are “going to say ‘if I’m liable for what this other company does, I’m going to put in measures to make sure they don’t break the law,’” David Martin, senior legal officer with consumer advocacy group BEUC, told Politico.

“This is the most significant development in data protection that Europe, possibly the world, has seen over the past 20 years,” Phil Lee, a partner with the law firm Fieldfisher, told the Guardian.

4 Powerful Communication Strategies for Your Next Board Meeting