Companies have two years to comply with new European data privacy laws, the European Parliament ruled on Thursday afternoon.
Once the new General Data Protection Regulation law takes effect in 2018, however, companies that mismanage citizens' personal data may have to pay fines equaling up to 4% of their worldwide revenue.
Currently, fines for EU data protection violations are very small and unlikely to faze large tech companies like Google or Facebook.
After nearly four years of debate, European Union officials are moving forward on the EU-wide digital privacy law. Known as the General Data Protection Regulation, the law creates a strict new legal framework for how companies can use individuals’ personal information and gives EU countries just one set of rules to follow, replacing a patchwork of 28 different sets of national privacy laws. GDPR replaces the outdated 1995 Data Protection Directive.
The GDPR will substantially increase fines for companies that violate the rules, but makes it easier for companies that do business across EU borders to comply. But, it will also make some things more difficult for companies. For example, it will no longer permit pre-checked boxes or systems that require people to "opt out of data collection."
The statute also makes some things easier for consumers. For example, people will now be able to move their own data between email providers. And now, the "right to be forgotten" ruling is permanent. In 2014, the EU Court of Justice mandated that people could ask for search engines to remove irrelevant information that appears under a person's name on the Internet.
Some companies have already been preparing for the new EU privacy rules. In February, Google announced it would clean search results across all its websites in European countries when accessed from a European country.
Those most affected by the GDPR will likely be organizations that are currently free from EU data protection laws—namely data processors and those data controllers that are not established in Europe—both of which will find themselves liable for breaches of any EU data they have in their control.