Web firms face a strict new set of privacy rules in Europe, here’s what to expect (GigaOm):
- EU privacy rules apply to the processing of EU citizens’ data, even if that data is processed in another country.
- A court or tribunal in a country outside the EU may not demand the transfer or disclosure of an EU citizen’s personal data (as with the previous point, enforcing this one would be fun).
- Fines for not following this regulation could be as high as €100 million or up to five percent of an enterprise’s annual turnover, whichever is larger. In other words, the likes of Google would face much higher fines for privacy breaches than the paltry sums they have to pay today, making EU law much harder to ignore.
- People must consent to having their personal data processed, and must be able to withdraw that consent as easily as they give it. This would create a culture of opting in, rather than today’s norm of opting out.
- People have the right to get their personal data from someone who holds it, in a commonly used, interoperable electronic format. This would be a victory for campaigners such as Europe v Facebook.
- Because the regulation harmonizes EU data protection law, EU citizens who want to complain about the violation of their privacy rights in any EU member state can approach the local data protection regulator in a member state of their choice. This makes it a lot easier to bypass the fact that U.S. web firms base their European operations in Ireland, which has relatively light-touch privacy regulation. Again, a win for campaigners.
- Organizations processing people’s data must provide standardized information policies to explain what they’re doing with it and why.
- People have the right to have their personal data erased (with public interest exceptions, so journalists can probably rest easy). This includes data passed on to third parties.
- People can object to being visibly profiled in a way that could discriminate against them on the basis of race, political beliefs, sexual orientation and so on, and the organizations processing their data must make sure this discrimination doesn’t occur.