Late last year, the EU agreed a text on new data protection rules throughout the Union, with major multinationals still thrashing through the details.
The text for the new ‘Data Protection Package’ was released as far back as last December but, according to some of the major multinationals that will have to comply with new regulations, progress has been slow.
Within the December text – agreed upon by EU officials – a new General Data Protection Regulation (GDPR) affecting anyone processing data in the EU or about EU residents brings in new, heavy penalties against companies that breach privacy laws.
What previously cost companies up to €250,000 now tops out at €20m or 4pc of global turnover, whichever is higher (a detailed report on the new rules is here).
A lot of details
This is in addition to new powers for data protection commissioners allowing them to order you to stop processing data or to delete it, and the continued right for data subjects to sue if their data privacy rights have been infringed.
However, due to varying interpretations across the EU, this is a bit messy. At least, that’s what Adobe Systems’ MeMe Rasmussen claims.
Noting that the new GDPR is 200 pages long, and written “by people who don’t run businesses”, she has said it will take time to work out what exactly her company is complying with.
Rasmussen is “a little worried” that member states can interpret some of the rules – like age of consent for people using social media – differently, with certain terminology yet to be clarified for her company.
Suggesting it may take “another few years” to work it all out, Rasmussen is clearly not one for thinking a revolution of thought is underway.
Work to be done
“There’s a good bit of work to be done,” agreed Google’s legal director Keith Enright.
“Not only to tease out what the data guidelines actually mean, but what they mean to individual data protection authorities, and data protection authorities collectively.”
Nobody seems to be disputing the new fines, though, with 4pc of global turnover for companies like Google, Facebook or Microsoft, for example, equating to eye-watering figures.
“It does change the stakes of a mistake,” said Microsoft’s chief privacy officer, Brendan Lynch.
“I view the introduction of the GDPR as an incremental step, but it’s probably a big step. The reality is that there are more obligations and things we still need to work out.”
Image of bag of mixed jellies via Shutterstock