Companies could face fines of up to 4% of their global annual turnover under new European rules on data protection.
It is the biggest shake up to privacy regulation for 20 years, according to experts. The changes would make privacy “a board-level issue”, one lawyer said.
Peter Church, a technology lawyer at Linklaters, said it would make businesses “start taking these issues a lot more seriously”.
Although this new law will not come into force until 2018, the changes meant the tech giants would have to “pay more attention to what regulators are saying”, said Mr Church.
The new draft policy, in discussion since 2012, will need to be ratified by the European Parliament next year.
Other changes include:
- Firms will have to report serious data breaches to regulators within 72 hours
- Consumers’ right to be forgotten will be extended beyond search engines to all aspects of their web history – so, for example, a user could request to have his or her Facebook profile removed
- Consumers have the right to transfer their data from one company to another – so, for example, a user could request all data relating to shopping purchases be sent to them so they can transfer their preferences to a rival supermarket
- Companies that handle significant amounts of data will have to employ a data protection officer
Jan Philipp Albrech, chief negotiator, said of deal: “This would be a major step forward for consumer protection and competition and ensure Europe has data protection rules that are fit for purpose in the digital age.”
“The scale and breadth of the EU’s changes to privacy rules will deliver unprecedented challenges for business and every entity that holds of uses European personal data both inside and outside the EU.”
“Most companies will be shocked at the scale of the new rules and the work that needs to be done before the laws take effect in two years – it is not much time for the magnitude of the internal changes that will be required.”