The shape of future European Union privacy legislation is becoming clearer, as lawmakers closed in on an agreement late Tuesday.
Companies will have to obtain customers’ consent before collecting and processing their personal data, and could be fined as much as 4% of annual revenue for breaches of the rules. That would put potential penalties for giants like Google and Facebook in the hundreds of millions or billions of euros, compared to the paltry fines of tens or hundreds of thousands of euros that national privacy regulators can impose even for mass data breaches today.
The new laws will also make data controllers – typically the companies collecting personal information – and data processors jointly liable in case of misuse. Legislators hope that will cause companies to choose their partners more carefully.
Lawmakers have so far been unable to reach agreement on a minimum age at which EU citizens can consent to their personal information being collected, enabling them to sign up for social networking accounts without parental approval, for example. Members of the European Parliament had hoped to set the age at 13, but some national representatives in the Council had held out for a minimum age of 16. It now looks as though each member state will be allowed to set its own age limit between 13 and 16, obliging businesses wanting to target minors across Europe to add a few extra lines of JavaScript to their sign-up pages.
EU laws come in the form of either directives or regulations. Regulations apply directly to EU citizens and companies doing business in the EU, but the effect of directives is indirect: The 28 member states each have two years to transpose them into national law, often resulting in subtle differences in implementation from one country to another.
Existing EU privacy rules derive from the 1995 Data Protection Directive, meaning that companies must deal with a patchwork of different interpretations across the EU.
In January 2012, the Commission drafted a new General Data Protection Regulation, which Parliament approved, with modifications, in March 2014. Representatives of EU member states have been haggling over amendments to it ever since, reaching a compromise text that should be acceptable to Parliament on Tuesday evening.
Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE) will vote on the text Thursday, and the European Council too must give its approval.
Penalties
The level of fines is one of the more obvious points on which compromise was required. The original Commission proposal set the level at 2% of global revenue – compared to a maximum of 10% in antitrust cases – but Parliament wanted to crank that up to 5%.
The age limit for consent was a source of disagreement within the council: Unable to pick a number between 13 and 16, national representatives settled on allowing each country to choose its own age of majority for data protection purposes.
The new proposals haven’t been met with universal applause. Tech industry lobby group DigitalEurope issued a statement urging a more pro-business stance.
“While we acknowledge that the instrument may bring greater consistency to the varied interpretations of data protection laws across Europe, the result fails to strike the proper balance between protecting citizens’ fundamental rights to privacy and the ability for businesses in Europe to become more competitive,” a statement read. “We fear that the text agreed upon between the European Commission, European Parliament and the Council of Ministers last night will undermine the ability of businesses in Europe to invest, innovate and create jobs.
“With Europe’s future Digital Single Market set to rely heavily on the use of data to generate an anticipated €415 billion of additional economic gain, it is difficult to overstate the importance of the GDPR to Europe’s ambitions to secure its digital future.”
IDG News Service
Subscribers 0
Fans 0
Followers 0
Followers