Universal Pictures/"The Scorpion King"
On Tuesday evening, the European Union settled on a new set of rules - hailed by Politico as "the biggest changes ... in two decades" - to protect Europeans' privacy and data.
The rules make it easier for people to control how their data is used, while granting regulators far stronger powers to fine companies that fail to abide by them.
Here are the key details:
- It will unify data protection rules across Europe, which should make it easier for companies to do business - they're no longer juggling dozens of different regulatory regimes. Likewise, they will only deal with one supervisory authority, which the EU claims will save €2.3 billion every year.
- The rules will apply to non-European companies if they want to do business in Europe.
- Companies are required to publicly declare "serious" data breaches.
- It enshrines the "right to be forgotten" in law. This will allow consumers to demand that a company deletes all information about them - if they have closed their account with a website, for example, or don't wish to be tracked by a marketer.
- Businesses can be fined up to 4% of global turnover for failing to comply. For a company like Apple - which had revenues of $234 billion in FY2015 - that would amount to nearly $10 billion in fines.
- The digital "age of consent" has been raised to 16. This means that any user 15 or under needs to gain the consent of their parent or guardian to sign up for apps and websites. This could have a major impact on a company like Snapchat, which has a large proportion of teen users. Google, Twitter, and Facebook reportedly lobbied against the last-minute proposal, and the FT reports that it will be up to individual member states to decide whether to lower this lower age limit to 13 again.
- Big companies are forced to employ a data protection officer. Small and medium enterprises are exempt - as long as "data processing is not their core business activity."
The rules will come into effect in two years time.