Companies could face massive fines in 25 European Union countries if they mishandle citizens' personal information, under a new privacy law due to take effect in 2018.
New age restrictions will mean no more Facebook or other social media for European pre-teens.
Today, fines for violations of EU data protection rules are typically limited to a few tens of thousands of euros, or hundreds of thousands in exceptional cases. That's hardly enough to upset companies such as Facebook or Google, which both reported billions of dollars in net income last year.
From 2018, though, data protection authorities will be able to impose fines of up to 4 percent of a company's worldwide revenue for breaches of the new privacy rules approved by the European Parliament on Thursday afternoon. For Google, the fine itself could now be in the billions of dollars.
The new General Data Protection Regulation (GDPR) also enshrines and extends the "right to be forgotten" created by a ruling of the Court of Justice of the EU in 2014. Where the court merely ordered search engines to make it difficult to discover certain kinds of personal information on request from the subject, the new regulation will enable EU citizens to request that companies entirely delete data concerning them.
Exceptions allow companies to retain data for historical, statistical, scientific, and public health purposes, to exercise their right to freedom of expression, or where required by law or to fulfill a contract.
Citizens also gain the right to move their data from one company to another -- so switching email providers will be easier -- and rules on obtaining consent to collect of personal information are reinforced. Pre-checked boxes or systems that require people to opt out of data collection will no longer be allowed.
Jan Philipp Albrecht, Parliament's rapporteur for the new law, said the GDPR represents four years' work by legislators.
It replaces the 1995 Data Protection Directive, introduced years before companies such as Google and Facebook were even founded. Directives are first transposed into national law, often resulting in variations in rules between countries, whereas EU regulations such as the GDPR are directly applicable in the EU member states.
The new rules, then, should be uniform throughout the EU and adapted to the Internet age, making it simpler for companies operating across European borders, online and off, to comply.
There are a couple of glitches in this perfect picture, though.
Three states, Denmark, Ireland and the U.K., have negotiated exemptions from EU home affairs and justice legislation, so the new rules will apply only partially in the U.K. and Ireland, while Denmark has six months to decide whether to adopt the new rules or reject them in their entirety.
Other national variations will exist in rules governing the age at which children can consent to the storage of their personal information: It will range from 13 to 16 years depending on countries' existing legislation. Whatever the country, though, it will mean no Facebook or other social media accounts for pre-teens across Europe.
The second glitch is that the GDPR doesn't cover all kinds of data: Another piece of legislation, the 2002 e-privacy directive, covers information exchanged through electronic communications services such as fixed and mobile phone networks, and there are inconsistencies between that directive and the new data protection rules. The European Commission is aware of this, and on Monday opened a three-month public consultation on how this needs to change.
The GSM Association, a trade body for mobile networks, welcomed the arrival of the new rules and called on the Commission to use the consultation to address the inconsistencies between the GDPR and the existing e-privacy directive.
"Consumers should be able to enjoy consistent privacy standards and experiences, irrespective of the technologies, infrastructure, business models and data flows involved or where a company may be located," said GSMA Chief Regulatory Officer John Giusti.
He cautioned that too much privacy would be bad for business: "The right balance needs to be struck between protecting confidentiality of communications and fostering a market where innovation and investment will flourish."
John Higgins, director-general of IT industry lobby group Digital Europe, also warned that privacy has a cost.
"While we continue to believe that the final text fails to strike the right balance between protecting citizens' fundamental rights to privacy and the ability for businesses in Europe to become more competitive, it is now time to be pragmatic," he said via email.
National differences in implementation are also a danger for those doing business entirely online, and threaten the EU's plans for a digital single market.
"If Europe fails to properly implement the GDPR across all 28 EU Member States, this could render the digital single market incoherent," he said.
Joe McNamee, executive director of campaign group European Digital Rights (EDRi), said the business lobby had already removed much of what legislators put in the original data protection package, but "the essence" had been saved.
Approval of the GDPR makes a moving target of EU data protection law for officials working on the Privacy Shield, a legal mechanism allowing companies to guarantee compliance with EU privacy rules when exporting citizens' personal information to the U.S. for processing.
On Wednesday EU data protection authorities called for a revision mechanism to be added to the draft Privacy Shield agreement to take into account future rules changes, including those now due to take effect in 2018.