Companies could face massive fines in 25 European Union countries if they mishandle citizens' personal information, under a new privacy law due to take effect in 2018.
New age restrictions will mean no more Facebook or other social media for European pre-teens.
Today, fines for violations of EU data protection rules are typically limited to a few tens of thousands of euros, or hundreds of thousands in exceptional cases. That's hardly enough to upset companies such as Facebook or Google, which both reported billions of dollars in net income last year.
From 2018, though, data protection authorities will be able to impose fines of up to 4 percent of a company's worldwide revenue for breaches of the new privacy rules approved by the European Parliament on Thursday afternoon. For Google, the fine itself could now be in the billions of dollars.
The new General Data Protection Regulation (GDPR) also enshrines and extends the "right to be forgotten" created by a ruling of the Court of Justice of the EU in 2014. Where the court merely ordered search engines to make it difficult to discover certain kinds of personal information on request from the subject, the new regulation will enable EU citizens to request that companies entirely delete data concerning them.
Exceptions allow companies to retain data for historical, statistical, scientific, and public health purposes, to exercise their right to freedom of expression, or where required by law or to fulfill a contract.
Citizens also gain the right to move their data from one company to another -- so switching email providers will be easier -- and rules on obtaining consent to collect of personal information are reinforced. Pre-checked boxes or systems that require people to opt out of data collection will no longer be allowed.
Jan Philipp Albrecht, Parliament's rapporteur for the new law, said the GDPR represents four years' work by legislators.
It replaces the 1995 Data Protection Directive, introduced years before companies such as Google and Facebook were even founded. Directives are first transposed into national law, often resulting in variations in rules between countries, whereas EU regulations such as the GDPR are directly applicable in the EU member states.
The new rules, then, should be uniform throughout the EU and adapted to the Internet age, making it simpler for companies operating across European borders, online and off, to comply.
There are a couple of glitches in this perfect picture, though.
Three states, Denmark, Ireland and the U.K., have negotiated exemptions from EU home affairs and justice legislation, so the new rules will apply only partially in the U.K. and Ireland, while Denmark has six months to decide whether to adopt the new rules or reject them in their entirety.
Sign up for CIO Asia eNewsletters.