EU data protection privacy laws
The European Union has agreed on new data protection and privacy laws that give more rights to individuals and see companies facing massive fines if they fail to comply Getty

The European Union has delivered the biggest shake-up in data protection laws in more than two decades after agreeing on rules that will enhance individual privacy rights and could see companies facing multibillion pound fines if they fail to comply.

New European privacy laws were provisionally agreed on 15 December in Brussels after four years of debate and will look to provide the 28 member states a more universal set of rules to replace the outdated ones from 1995 that saw countries set their own fines for companies that violated data protection.

Now, companies which do not comply with the new laws could be hit with fines up to 4% of their global turnover.

The idea behind this hefty fine is to make companies that might run a slack data protection policy to tighten up their act and to raise standards across Europe. It's expected the law will come into full effect within two years.

New EU data protection laws in a nutshell:

  • Companies could face fines up to 4% of their global turnover if they fail to comply with new rules
  • Both the data controller and data processor will be jointly held responsible for data breaches
  • Large companies must employ a data protection officer
  • Companies will have to report data breaches that may harm individuals to authorities within 72 hours
  • It is up to each EU state to decide on a minimum age limit for social media use
  • Businesses must obtain explicit consent to use an individual's data
  • There will be stronger right to be forgotten control with old or inaccurate data to be removed from the internet if requested

"What's important at the end of the day is that they set a threshold that is important enough to have a deterrent effect on companies so they take data protection seriously," said David Martin, senior legal officer with consumer advocacy group BEUC.

The new legislation will also clarify exactly who is liable when there is a data breach. Currently only the data controller (the organisation that gathers your data) is held liable but going forward both the data controller and data processor (where the data is stored) will bear the punishment.

It also states it will be mandatory for large companies to employ a data protection officer, someone whose job it is to ensure servers, systems, protocol and privacy is kept tight and up-to-date. This doesn't not apply to small and medium sized companies, however, unless their business is data processing. Although all companies will have to report any data breaches that may affect individuals to national authorities within 72 hours.

Right to be forgotten

This landmark piece of legislation also seeks to assist individuals to gain more control over their personal data and what is shared. There will be a right for people to be forgotten, meaning anyone can get their personal data corrected or removed from the internet if inaccurate or outdated.

While good news for individuals, the new laws will give companies something to sweat about.

"Most companies will be shocked at the scale of the new rules and the work that needs to be done before the laws take effect in two years," says Stewart Room, head of PwC Legal's data privacy and protection service.

"New enhanced rights for people over their personal data may also unleash a wave of legal action and compensation claims against entities that will face new rights including the Right to be Forgotten – so that personal data is deleted and destroyed by organisations," he added.

Minimum age to use social media

Teenagers and social media companies will breathe a little easier following the news the minimum age for anyone to use social media services such as Facebook and Snapchat could raise from 13 to 16. It was proposed anyone under 16 would have to get parental permission to download or use social media or face being banned. There was outrage from teens, who make up a large portion of social media users, and companies who would take a significant hit in numbers. However, the EU hasn't slammed down an iron fist on raising the age limit but has stated it will be up to individual states to decide the minimum age of digital consent.

Phil Lee, partner in the Privacy, Security and Information group at European law firm Fieldfisher, has described this new ruling as "the most significant development in data protection that Europe, possibly the world, has seen over the past 20 years. Forget Safe Harbor and Right to be Forgotten – this is much, much more significant".

The rules that Europe agreed on 15 December will shape the way that businesses around the world interact with European consumers for decades to come. Europe has become the flag-bearer for best practice in the treatment of individuals' data.

"Businesses that get it wrong face substantial fines, potentially up to four per cent of global turnover. If data protection hadn't previously reached Board level before, it's about to now.

"Fundamentally, the regulation is about accountability. It's about businesses not only being compliant, but being able to show they're compliant," he added.