EU agrees 4% fines for data protection breaches

The General Data Protection Regulation (GDPR), put forward in 2012, is designed to provide a single set of rules around data protection in the EU. It will eventually replace the UK’s Data Protection Act – national governments will be given two years to enact the law into legislation. Companies must be compliant by December 2017.

Two draft laws in the package — a regulation and a directive — were agreed upon by European Parliament and Council members this week and were confirmed by vote in the Civil Liberties Committee this morning.

“Today’s negotiations hopefully have cleared the way for a final agreement”, said Parliament’s lead MEP on the regulation, Jan Philipp Albrecht. “In future, firms breaching EU data protection rules could be fined as much as 4% of annual turnover – for global internet companies in particular, this could amount to billions. In addition, companies will also have to appoint a data protection officer if they process sensitive data on a large scale or collect information on many consumers.”

“The regulation returns control over citizens’ personal data to citizens. Companies will not be allowed to divulge information that they have received for a particular purpose without the permission of the person concerned. Consumers will have to give their consent by a clear and affirmative action to the use of their data. Unfortunately, member states could not agree to set a 13-year age limit for parental consent for children to use social media such as Facebook or Instagram. Instead, member states will now be free to set their own limits between 13 and 16 years.”

More information can be found here.