On Tuesday, the European Union agreed on tough new data protection regulation for companies operating in the Continent — and huge fines for those that breach them.
The rules unify Europe’s disparate approach to data protection, will give Europeans more control over how their data is used, and allow regulators to impose fines of up to 4% of a company’s global turnover for violations. For a company like Apple — which had revenues of $234 billion (£155 billion) in FY2015 — that would amount to nearly $10 billion (£6.66 billion) in fines.
The rules still need to be approved by the European Parliament, although this is expected to go smoothly. After that, they will take up to two years to come into effect.
They will: Unify data protection rules under across Europe under one supervisory authority; require companies to disclose serious data breaches; allow for significant fines for noncompliance; allow users to demand companies delete information held about them; raise the digital “age of consent” under which children must have parental permission to sign up for apps and services to 16; and make big companies employ a data protection officer, and more.
Politicians are hailing the new regulations as a “breakthrough,” Reuters reports. But outside of the European Parliament, people’s opinions are differing wildly.
The tech industry
Reached for comment, both Google and Microsoft directed Business Insider towards Digital Europe. It’s an industry body that represents tech companies in Europe. Microsoft and Google are both members — along with Apple (Apple did not respond to a request for comment), Canon, Dell, LG, Motorola, Nokia, Panasonic, Qualcomm, Samsung, Sony, Xerox, and numerous other companies. It says it is disappointed by the new rules.
A statement from Digital Europe released on Wednesday morning says that “while we acknowledge that the instrument may bring greater consistency to the varied interpretations of data protection laws across Europe, the result fails to strike the proper balance between protecting citizens’ fundamental rights to privacy and the ability for businesses in Europe to become more competitive.”
It continues: “We fear that the text agreed upon between the European Commission, European Parliament and the Council of Ministers last night will undermine the ability of businesses in Europe to invest, innovate and create jobs.”
Facebook provided Business Insider with a statement that welcomes “consistent regulations that enable all companies to comply with the same standards across Europe, under the guidance of one lead supervisory authority”:
Having a single set of rules to protect Europeans’ personal data while creating opportunities for growth and innovation is important for people in Europe and the European economy. Although we are still reviewing the legislation in detail, we welcome consistent regulations that enable all companies to comply with the same standards across Europe, under the guidance of one lead supervisory authority. The implementation of the regulations will take place over the next two years, and we look forward to being part of this discussion.
The advertising industry
Many figures in the ad industry have expressed concerns over the new rules. Townsend Feehan, the CEO of the Internet Advertising Bureau’s (IAB) European arm, told Business Insider that “it’s the amputation of a significant revenue stream, just at the moment publishers are having such a challenge in switching to digital.” The stricter controls could make it harder for advertisers to use Europeans’ data — harming their businesses.
She added: “It’s an own goal [from the EU], [the impact] will be insidious and happen slowly over time. It will be an inexorable impairment on online media in Europe … it’s not good for media pluracy and democracy.”
Industry body ISMBA’s public affairs director Ian Twinn said: “The EU fix on the four-year run in trying to find a common agreement on data protection is a mixed bag. Of course advertisers, and businesses more generally, will be pleased that there is an end to the indecision. We particularly welcome the need to deal with only one data regulator … The fine detail may be better than the press release but at first sight both citizens and businesses will be disadvantaged. The European Parliament has failed to understand the impact of its hard-line political stance. This is the EU at its worst. The end result is a new regulation that is based on five-year-old thinking, sourced from old technology and old expectations.”
EDRi, a European digital rights group, takes the opposite approach to that of Digital Europe — lamenting that the new rules don’t go far enough.”Faced with possibly the world’s biggest ever lobbying onslaught, this agreement appears to have saved the essential elements of data protection in Europe. Sadly, there is little left of the initial ambition of the proposals,” said Joe McNamee, Executive Director of European Digital Rights. “However, the devil is in the detail and the detail hasn’t been published yet”. (The full text was published after the statement was issued.)
On Twitter, privacy activist Max Schrems describes the law as a “mixed compromise.” Responding to tech industry’s claims of legal uncertainty, he says he “could not agree more,” but asks pointedly: “WHO has actually lobbied against clear rules?”