Companies face huge fines under hard-hitting new EU data laws
Published 15/04/2016 | 02:30
Companies will face fines of up to 4pc of global turnover under stricter data privacy laws passed by the European Parliament today.
The new laws, which mark a hardening EU attitude toward corporate use of personal data, also require companies to adhere to tighter rules on marketing, customer profiling and other areas where people's personal details are used.
"Consistent fines across the EU of up to 4pc of global revenue will provide a fairer, clearer approach to enforcing data protection," said Anthony Merry, head of data protection at the IT security firm Sophos.
"In addition, the proposal that national data protection authorities will have the power to impose fines on companies directly, instead of having to go through the courts, should make it easier and quicker to take action."
According to the EU's General Data Protection Regulation (GDPR), companies will now also have to appoint a data protection officer "if they are handling significant amounts of sensitive data or monitoring the behaviour of many consumers".
However, firms "whose core business activities are not data processing" will be exempt from this obligation, it says.
Under the new rules, companies will now need to get "clear and affirmative consent" to the processing of private data of EU citizens.
"Silence, pre-ticked boxes or inactivity will not constitute consent," said a European Parliament spokesman.
The law also obligates companies to comply with a person's right to bring their personal data if moving to another service provider.
And it says that there will be an age limit of between 13 and 16 under which children need to get parental consent to sign up to social media services.
"Those outside the EU will also need to pay attention as the law applies to all companies that hold data on European citizens, regardless of whether that company has an EU base or not."
There is also a new citizen's right to know if their personal data that is held by a company has been hacked.
"Companies and organisations will be required to notify the national supervisory authority of serious data breaches as soon as possible, so that users can take appropriate measures," said a spokesman for the European Parliament. Under the regulation, there are new limits to companies' abilities to automate the processing of personal data "to analyse or predict a person's performance at work, economic situation, location, health, preferences, reliability or behaviour".
And an EU-wide 'right to be forgotten' has been strengthened under the new rules.
The new data privacy laws come in the same week that European data privacy regulators cast doubt on the international 'Privacy Shield' agreement between the EU and the US on data privacy.
Europe's most influential privacy regulators say that 'Privacy Shield', which is due to replace 'Safe Harbour' as a mechanism by which companies can legally transfer data between the EU and the US falls short of standards set by the European Court of Justice.
The group of data privacy regulators said that it is "not yet in a position to confirm that the current draft adequacy decision does, indeed, ensure a level of protection that is essentially equivalent to that in the EU".
If data privacy authorities do not accept the new transatlantic agreement, it could mean that the accord will be challenged again in the European Court of Justice.
If such a challenge were successful, some data flows between EU and US companies would be classed as illegal under European law. Legal experts say that such a legal challenge has a good chance of succeeding.
Some elements of the new law's data sharing facilities for civil authorities may not have full effect in Ireland as both Britain and Ireland have "special status" on issues of justice and home affairs legislation.
"The directive's provisions will only apply in these countries [Ireland and UK] to a limited extent," said a spokesman for the European Parliament.
"Ireland can opt in on a case by case basis," said a spokeswoman for the European Commission in Ireland.
"Indeed, it has done so on the questions of taking part in some of the new arrangements for the relocation of refugees."