The European Union has taken a major step toward adopting new bloc-wide data privacy laws that give consumers more control over how their data is used and retained.
After nearly four years of negotiation, EU officials agreed Tuesday on a final text of the laws, which would impose hefty penalties on tech companies for privacy violations.
The text of the General Data Protection Regulation, which governs the use and privacy of EU citizens’ data, and the Data Protection Directive, which governs the use of EU citizens’ data by law enforcement, must be definitively approved by the European Parliament and EU governments before going into effect in two years’ time.
Jan Philipp Albrecht, the parliament’s chief negotiator, said “firms breaching EU data protection rules could be fined as much as 4% of annual turnover,” amounting to “billions” for global Internet companies in particular.
As the Wall Street Journal reports, privacy advocates hope Europe will become a model for the rest of the world, while some tech executives say the EU’s new rules will hobble their businesses.
“For the first time, a law is trying to put extensive limits around the pervasive generation of data that happens now by default,” Eduardo Ustaran, a privacy lawyer for Hogan Lovells who works with U.S. tech firms, told WSJ. “Because business in general is becoming more data-dependent, every business will be affected.”
Under the rules, companies would not be allowed to divulge information that they have received for a particular purpose without the permission of the person concerned, and consumers will have to give explicit consent to the use of their data.
Politico noted that the new rules make both data controllers and processors liable for data breaches in the EU.
Companies are “going to say ‘if I’m liable for what this other company does, I’m going to put in measures to make sure they don’t break the law,'” David Martin, senior legal officer with consumer advocacy group BEUC, told Politico.
“This is the most significant development in data protection that Europe, possibly the world, has seen over the past 20 years,” Phil Lee, a partner with the law firm Fieldfisher, told the Guardian.