SWEEPING CHANGES to the EU’s data-protection legislation will place strict controls on businesses and impose large fines for data breaches, require companies to obtain consent before they collect people’s information, and give citizens a “right to be forgotten” online.
“The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data,” EU commissioner Vivien Reding, who is responsible for data privacy, said yesterday in announcing the proposals in Brussels.
She said only if citizens felt their personal data was secure would they entrust it to businesses and authorities, buy online and accept new services.
Some 72 per cent of Europeans are concerned that their personal data may be misused, misplaced or passed along to third parties without their permission, according to a Eurobarometer survey.
Under the proposals, companies will have to obtain explicit consent from individuals to gather data from them, and must tell people when they are collecting it, why they are collecting it, how it will be used and for how long they will hold it.
At the moment many internet and social media sites and apps gather, use and sell on personal data without the user’s full awareness or permission.
Under a groundbreaking “right to be forgotten” clause, Europeans will be able to ask social media and other internet sites to remove personal information and images they have voluntarily posted to websites such as Google+, Facebook and MySpace, as long as there is no legitimate reason to retain it.
Citizens will also have a right to data portability – to move information from one internet service to another – similar to the right Europeans have to keep a mobile phone number permanently while moving it between telecommunications providers.
In the case of data breaches, companies will be required to notify data-protection authorities as well as an affected individual of breaches within 24 hours.
They could be fined as much as €1 million or 2 per cent of their annual global revenue for breaches or failing to comply with the regulations.
Multinational companies will also be affected by the new regulations, with incidents and complaints handled by the data-protection office in the European country in which they have their European base.
The Irish office of the Data Protection Commissioner will, therefore, have oversight of a large number of the world’s largest technology and internet companies, including Microsoft, Facebook, and Google, all of which have their European headquarters in Ireland.
Large companies with more than 250 employees will be required to have a designated data-protection officer.
Businesses have expressed concern about the proposals.
However Ms Reding was adamant that the new legislation would make it easier and less costly to do business in the EU because regulations would be streamlined and implemented across all 27 EU states.
The commissioner added that the proposals, which need to be approved by the European Parliament, could take up to two years to implement.
