After years of deliberation and study, the European Parliament has passed the most significant overhaul of the continent’s data rules in two decades.
The sweeping package of reforms has been a source of intense debate in Europe, as well as in the United States, where tech giants will be grappling with understanding and adapting to the new regulations.
European officials touted the rules as a step toward offering individuals greater protection and control over their digital information.
They also expressed hope that the reforms would unify data protection rules across the continent, as part of the broader goal of creating a Digital Single Market. Right now, many rules governing data and digital content are still controlled by individual member states, creating a complex system for any company seeking to do digital business across Europe.
At the same time, EU officials are betting that a more unified system will allow greater information-sharing between various law enforcement agencies in the fight against terrorism.
The new rules, which will go into effect this summer, officially embrace the controversial “right to be forgotten” law, following a court ruling that has required Google and other search engines to remove certain information at the request of users. Google’s public campaign to push back against this policy has apparently failed.
Companies will also be required to disclose more precisely how they are using people’s data and to create tools that enable “data portability” so that users can move their information from one service to another.
On the security front, companies are now obligated to inform national authorities of any data breaches, as well as informing customers. And companies must be able to demonstrate what steps they have taken to protect user data in any product.
With increased rules comes stiffer penalties. If European officials determine a company has failed to comply, the offender can be fined up to 4 percent of their global revenues.