The European Union (EU) Parliament recently passed new EU-wide data protection legislation. In the EU, data protection is a fundamental human right, so it only seems fitting that the continent would work to create a single set of rules that would govern everyone instead of allowing the member states to have their own, separate laws. This is also great news for foreign companies doing business in the EU, because it now means data protection laws will be streamlined. Businesses will no longer have to tailor all of their internal data regulations to each individual country.
Unfortunately, Newton’s laws are proven right time and time again – for every action, there is an opposite reaction – and these new laws are no different. While the streamlined system will make things much easier for businesses entering the EU market, the associated penalties for non-compliance are that much stricter. Companies will need to report to both national officials and their users any time they experience a data breach. Users must be informed how the company will use their data and companies are expected to help create a system to enable “data portability.” Portability will enhance the user’s ability to move their data from one service to another.
Along with these stricter requirements come more aggressive sanctions for violators, too. An organization found to have broken any of these data protection laws can be fined up to 4% of global revenue. For multinational corporations such as Google, Amazon and Facebook, this figure could be in the billions.
The new laws will go into effect this summer, giving member states an opportunity to prepare their law enforcement systems and allow both citizens and foreign companies doing business in the EU to become knowledgeable and prepared for these new changes.
Europe’s “right to be forgotten” laws have also proven to be a challenge for multinational companies. Google had challenged this policy but has apparently lost that battle. The right to be forgotten law allows users to request some of their personal data be taken down or removed from the company’s servers. In the US, compliance with this kind of request is at the company’s discretion, and typically, US companies don’t comply with them. It isn’t hard to understand why they would be so strongly opposed to the implementation of this law in the EU; the international ramifications could be massive.
Whether Privacy Shield, the “Safe Harbor 2.0” that is being implemented in the wake of a ruling by the European Court that the safe harbor rules were insufficient to protect the personal data of EU citizens, will conflict with these new EU laws is yet to be determined. Both laws are still in the process of being finalized and implemented. Given the time it’s taken to create these laws though, hopefully some kind of even ground can be found and the laws will work together instead of sending parties back to the negotiation tables.
Image credit to Flickr user Karen Rustad