The European Union’s new data protection laws came into effect on Friday (25 May), with Brussels saying the changes will protect consumers from being like “people naked in an aquarium”.
The EU’s so-called General Data Protection Regulation (GDPR) has been blamed for a flood of spam emails and messages in recent weeks as firms rush to request the explicit consent of users to contact them.
Even though the rules were officially adopted two years ago, with a grace period until now to adapt to them, companies have been slow to act, resulting in a last-minute scramble this week.
Britain’s data protection watchdog, the Information Commissioner’s Office (ICO), said that its site had experienced “a few interruptions” as the deadline loomed, but said that “everything is working now”.
Brussels insists that the laws will become a global benchmark for the protection of people’s online information, particularly in the wake of the Facebook data harvesting scandal.
“The new rules will put the Europeans back in control of their data,” said EU Justice Commissioner Vera Jourova.
“When it comes to personal data today, people are naked in an aquarium.”
Companies can be fined up to €20 million ($24 million) or 4% of annual global turnover for breaching the strict new data rules for the EU, a market of 500 million people.
The law establishes the key principle that individuals must explicitly grant permission for their data to be used.
The new EU law also establishes consumers’ “right to know” who is processing their information and what it will be used for.
People will be able to block the processing of their data for commercial reasons and even have data deleted under the “right to be forgotten”.
Parents will decide for children until they reach the age of consent, which member states will set anywhere between 13 and 16 years old.
The case for the new rules has been boosted by the recent scandal over the harvesting of Facebook users’ data by Cambridge Analytica, a US-British political research firm, for the 2016 US presidential election.
The breach affected 87 million users, but Facebook said Wednesday it has found no evidence that any data from Europeans were sold to Cambridge Analytica.
Facebook chief Mark Zuckerberg said in a hearing at the European Parliament on Tuesday that his firm will not only be “fully compliant” with the EU law, but will also make huge investments to protect users.
Zuckerberg said he was “sorry” for the Cambridge Analytica breaches, but also for its failure to crack down on election interference, “fake news” and other data misuses.
Big platforms like Facebook, WhatsApp and Twitter seem well prepared for the new laws, while smaller businesses have voiced concern.
But EU officials say they are initially focusing on the big firms, whose business models use a goldmine of personal information for advertising, while offering smaller firms more time to adapt.
Meanwhile Brussels has expressed impatience with the eight countries — out of the EU’s 28 — that say they will not have updated their laws by Friday.
EU Commissioner Jourova said the new rules are setting “a global standard of privacy”.
Many Americans who once criticised Europe as too quick to regulate the new driver of the global economy now see the need for the GDPR, EU officials insist.
“I see some version of GDPR getting quickly adopted at least in the United States,” Param Vir Singh, a business professor at Carnegie Mellon University, told AFP in an email.
Japan, South Korea, India and Thailand are also drawing “some inspiration” from Brussels as they debate or adopt similar laws, another EU official said.