European officials approved long-awaited data protection regulations on Tuesday, the latest effort in the region to give people a greater say over how their digital information is collected and managed.
Original Source: Mark Scott, New York Times
The changes, expected to go into effect by early 2017, would put into law across the 28-member European Union some policies now enforced after court rulings or in specific countries only. They are intended to bolster Europeans’ privacy rights, which are viewed by the bloc as on a par with freedom of expression.
“These new Pan-European rules are good for citizens and good for businesses,” Vera Jourova, the European justice commissioner, said in astatement on Tuesday. They “will profit from clear rules that are fit for the digital age.”
The new rules were approved at a meeting of representatives from the European Commission, the executive arm of the European Union; the European Parliament; and member states. The officials had been meeting regularly since the summer to reach a compromise, though they often differed on how far Europe’s privacy rules should go in capping companies’ access to people’s online information.
Europe’s national governments and the European Parliament are widely expected to back the proposals later this week, support that is necessary for the rules to go in effect.
Among the new policies approved on Tuesday:
■ Allowing national watchdogs to issue fines, potentially totaling the equivalent of hundreds of millions of dollars, if companies misuse people’s online data, including obtaining information without people’s consent.
■ Enshrining the so-called right to be forgotten into European law, giving people in the region the right to ask that companies remove data about them that is either no longer relevant or out of date.
■ Requiring companies to inform national regulators within three days of any reported data breach, a proposal that goes significantly further than what is demanded by American authorities.
■ Obliging anyone under 16 to obtain parental consent before using popular services like Facebook, Snapchat and Instagram, unless any national government lowers the age limit to 13.
The biggest American tech companies face intensifying scrutiny by European regulators, with — pressure that could potentially curb their sizable profits in the region and affect how they operate around the world.
■ Extending the new rules to any company that has customers in the region, even if the company is based outside the European Union.
The tough stance on privacy has often put the European Union at odds with large American tech companies like Google and Facebook, which collect and mine data from social media posts and online search results as part of their digital advertising activity. The companies, as well as consumer groups and some national politicians, have lobbied to either limit the strength of the legislation or to ensure that people have greater control over their online data.
“Europe’s approach to privacy is much stronger than in the United States,” said Peter Church, a technology lawyer at Linklaters in London. “There’s a fundamental difference in culture when it comes to privacy.”
Policy makers agreed on fines totaling up to 4 percent of a company’s global revenue for the most serious breaches to European data privacy rules — potential sanctions that put Europe’s data protection rules on par with the region’s onerous competition laws.
“This would be a major step forward for consumer protection and competition and ensure Europe has data protection rules that are fit for purpose in the digital age,” Jan Philipp Albrecht, a German politician who has campaigned for tougher penalties, said in a statement on Tuesday.
The threat of sizable fines has raised concerns for many of the large tech companies that will be most affected by the changes, some of which have complained that Europe’s data protection overhaul unfairly targets their activities compared with those of smaller European rivals. European and national politicians deny the accusations.
“Linking sanctions to worldwide turnover makes zero sense,” said Alexander Whalen, a senior policy manager at Digital Europe, a Brussels-based trade body whose members include Google and Microsoft. “We have to be smarter about this.”
Facebook, for instance, has run into problems after at least five national privacy watchdogs — in Belgium, France, Germany, the Netherlands and Spain — started investigations into whether the social network broke data protection laws. Last month, a Belgian court ruled that Facebook could not collect information on people in the country who did not use its service, a ruling the company is appealing.
Facebook contends that Ireland — where the company has its international headquarters — is the only country that can make such privacy rulings, though Europe’s new data protection rules would allow the region’s many data protection watchdogs to intervene if they suspect their citizens’ data has been misused.
“National authorities still have a lot of room to decide how to implement the rules,” said Patrick van Eecke, a data protection lawyer at DLA Piper in Brussels. “That was not supposed to be the intention of these reforms.”