Marking the biggest changes to privacy laws in the European Union in two decades, negotiators agreed on data protection rules Tuesday night that will give consumers more muscle and threaten companies with hefty fines.
The 28 member countries must adapt their national laws or pass new ones within two years from the new law’s official publication, expected early next year.
Broadly speaking, the general data protection regulation gives consumers more control over how their data is used and retained. Companies that don’t abide by the rules will face fines up to 4 percent of global sales.
Negotiators also thrashed out an accompanying directive that covers data transfers between law enforcement agencies across the bloc.
“We all know personal data is part of our whole lives everywhere today. Everyone will be concerned, and we had to take our time to take everyone’s interest into account,” said Jan Philipp Albrecht, Parliament’s rapporteur on the regulation.
Current data protection rules date back to 1995. The new regulation has been in the works since 2011, but with Parliament and Council far apart on key issues, it took years to wear each other down.
Parliament originally wanted maximum fines of 5 percent of annual global sales, while Council was firm on 2 percent.
Their compromise still left the tech industry seething.
“A lot of companies are doing risk assessments, asking whether it is worth using data innovation when they might get nailed with a percentage of global turnover,” said Alexander Whalen, senior policy manager of Digital Europe.
But consumer groups wanted a big stick.
“What’s important at the end of the day is that they set a threshold that is important enough to have a deterrent effect on companies so they take data protection seriously,” said David Martin, senior legal officer with consumer advocacy group BEUC.
The new law will also expand the potential liability for companies. Currently, only the data controller is liable for data breaches in the EU. Soon, both the controller and the data processors will be jointly liable for any damages.
Simply put, if a retailer hires an outsourcing firm to manage its customer databases, the retailer is the controller and the outsourcing firm the processor.
Joint liability will quickly make companies more careful about their business partners, Martin added. “They’re going to say ‘if I’m liable for what this other company does, I’m going to put in measures to make sure they don’t break the law.’”
Companies, however, argue blanket liability will have the opposite effect.
“[This] will increase significantly the amount of information exchange between controllers and processors, not only increasing the transaction costs in the market but also exposing data subjects and business to increased amount of data breaches, cyber security risks, and corporate espionage due to increased amount of insider knowledge about processing,” said Rene Summer, director of government and industry relations at telecoms company Ericsson.
Right to be forgotten
The regulation also gives people the right to have their personal data corrected if inaccurate, and expands their right to remove irrelevant or outdated information.
This “right to be forgotten” extends a concept enshrined in the EU’s existing privacy laws. Consumers will have the right to stop a firm using data when they close an account, for example, or they can stop marketing companies from building a data profile of them.
That is a marketer’s nightmare.
“Ensuring that individuals don’t receive direct marketing messages any more can only be done if the marketer can retain data in a suppression file,” Sébastien Houzé, secretary general of the Federation of European Directive and Interactive Marketing.
The age of consent for data processing — meaning the age to sign up for Facebook, Gmail or Instagram — will be the choice of EU countries. The regulation sets it at 16, but governments will can lower it to 13, which is the current limit for many U.S. social media companies
The proposed change was not popular with tech companies or child-safety NGOs.
“The proposals do not take into account the reality of millions of children that have already become active users of these services. The feasibility of suspending their accounts and banning them from the platforms will be nearly impossible to implement,” said Emma Morris, head of international policy of the Family Online Safety Institute. “Vital protections offered to younger users of social media sites may be invalidated by causing children to lie about their true age.”
At the same time, Parliament wanted a person’s consent to process their data to be “explicit” — a higher bar than Council’s preferred “unambiguous.”
In the end, Council won.
A final key sticking point: Should it be mandatory for companies to have a data protection officer? Parliament said yes, Council no. In the end, the job is mandatory, except for small- and medium-size companies, unless data processing is core to their business.
The regulation also includes an element already agreed to in March: the so-called “one-stop shop” for data protection complaints.
This will allow people to complain about a company in their home country rather than the country where that firm’s EU headquarters is located. In cases that involve multiple EU countries, the country with the headquarters will take the lead, and a new European Data Protection Board will help settle disputes.
Shared data protection
Also Tuesday night, negotiators struck a deal on the new directive for protecting personal data shared between EU countries’ law enforcement agencies.
This directive sets out the responsibilities of the data controller to notify breaches and designate a data protection officer. It also spells out the limits and safeguards for data transfers to law enforcement agencies in countries outside the EU.
This directive, the regulation and the recently agreed passenger name records directive were effectively bundled together as a package of laws.
“The year 2015 will go down in history as the year of data protection, not only because of these three important pieces of legislation, but in addition several landmark rulings of the Court of Justice of the EU on the EU-U.S. safe harbor arrangement and the scope of application of EU data protection law,” said Monika Kuschewsky, special counsel at the Brussels office of law firm Covington & Burling.
This story was updated to add the latest news developments.