The European Union has adopted continent-wide privacy regulations that are being hailed by some as “a revolution” in data rights and by others as a new headache for tech companies. The new set of regulations on how Internet companies handle data in Europe, the largest such reforms in two decades, will do everything from modifying Google search results to requiring parental permission for teenagers to set up Facebook and Snapchat accounts to changing the way Microsoft Windows is bundled on computers.
Under the rules of the tentative agreement, which is likely to be approved early next year and go into effect in 2018, “companies will not be allowed to divulge information that they have received for a particular purpose without the permission of the person concerned,” the parliament’s chief negotiator Jan Philipp Albrecht told the AP. “Consumers will have to give their explicit consent to the use of their data.”
Here are some of the other biggest changes in the regulation:
• Companies can be fined up to 4% of their global revenue by EU authorities for privacy violations. These violations could run into the hundreds of millions of dollars yearly for larger companies such as Facebook, Amazon, Google, and Microsoft. EU officials say that maximum fines would only be imposed in serious cases or repeated infringements. National data-protection authorities will have the power to impose fines on companies directly, rather than having to go through courts, as is sometimes now the case.
• Anyone under 16 years old will require parental permission to set up social media accounts on services such as Instagram, Vine, YouTube, SnapChat, and Facebook; individual countries can lower that age to 13.
• The “Right to be Forgotten” will be codified across the continent, and users who feel Google and other search engines contain incorrect or outdated information about them, their personal lives, their businesses, or their activities in general can have them removed.
• Tech firms will be required to inform customers within 72 hours if their personal information has been breached.
The law follows a series of investigations of U.S. tech firms by European regulators and the landmark revocation in October of the Safe Harbor agreement, which allowed U.S. companies to transfer European citizens’ data to America under certain privacy standards. The new rules will apply to any company with European customers that stores data online, which includes scores of non-EU firms based everywhere from Silicon Valley to Japan.
“These new pan-European rules are good for citizens and good for businesses,” European commissioner for Justice, Consumers, and Gender Equality Vera Jourova said. “Citizens and businesses will profit from clear rules that are fit for the digital age, that give strong protection and at the same time create opportunities and encourage innovation in a European Digital Single Market.”
The aim is to update rules mostly written in the 1990s, and bring a patchwork of policies across the 28-nation bloc under one umbrella. The Commission says this will mean savings of 2.3 billion euros ($2.5 billion) a year for tech companies.
But by requiring higher hurdles for the collection and sharing of customer data, the rules also promise new financial and logistical burdens for Silicon Valley and other foreigners doing business in Europe. Last year, the globe spent an estimated $16.6 billion on big data infrastructure, software and services, according to IBM.
Silicon Valley is expected to turn to lobbying and legal maneuvers in individual countries to mitigate effects from the new regulations, as giants like Facebook, Google, and Amazon have done around other EU regulations. Some technology executives have worried that the maximum fines for multinational companies, at 4% of their revenue globally, will be disproportionately large. Others have said the law may prove to be too onerous on small companies, which lack the legal expertise and organization of larger companies.
Digital Europe, a Brussels-based trade organization whose members include Google and Microsoft, reiterated previous concerns that such a law was going too far in the direction of privacy, at the expense of business. “As the EU institutions enter the final stages of negotiations on the draft regulation, the question over whether a proper balance has been reached between supporting privacy rights and enhancing economic competitiveness still remains,” the group told The Hill.
“Most companies will be shocked at the scale of the new rules and the work that needs to be done,” Stewart Room, head of the data privacy practice at PricewaterhouseCoopers’ legal consultancy, wrote in a blog post. “Major retailers, the banking sector, and any entity that is aiming their marketing and promotion to consumers are especially at risk, as is any entity that uses data around children. Technology companies will also be in the firing line.”
The new rules were the result of attempts at sweeping privacy reforms that began in 2011 and gained new momentum after revelations by Edward Snowden in 2013 about global digital surveillance.