The biggest alteration to pan-European data laws in two decades has been met with initial praise, although groups are urging support for those that could be affected.
Reports from the Guardian indicate that six months of negotiation between the European Commission, the European parliament and the Council of the European Union, added to four years of planning, has culminated in new privacy laws in a number of areas.
The most relevant changes for marketers are those within the General Data Protection Regulation, which governs the use of consumer data.
They promise tougher requirements for consent, where companies have to obtain “freely given, specific, informed and unambiguous indication” of someone’s intention to share their data, adding that “silence, pre-ticked boxes or inactivity” will not meet the new standards.
A blog from legal firm Wilson Sonsini Goodrich & Rosati says the new rules could “apply to virtually any business that offers its products and services in the EU market“, including those situated outside of the continent.
Tough action
Failure to comply with the Data Protection Package, set to become official over the next two years, could result in businesses suffering fines of up to 4% of their annual global sales.
Part of the reason why it has taken so long for the rules to gain a reform was down to the European parliament vouching for a fine of 5%, but it seems a compromise has been reached.
There is a maximum fine of €20 million for the most serious offenders, while a lower-tier penalty warrants a cap of €10 million.
Timothy Kirkhope, who led negotiations for the European Conservatives and Reformists Group, believes the changes can be positive, but only if companies are made aware of their wrongdoings.
“The key to whether this legislation succeeds or fails will be how the European Commission implements it,” he commented. “If the commission can make sure that businesses have a clear understanding of how the principles affect them, and the actions they must take, then it can have a positive effect.”
Kirkhope believes that assistance will be vital to smaller firms, who may not have the dedicated compliance teams afforded to bigger, multinational enterprises.
Erasing the past
Other changes to the EU Data laws include rights which dictate that children younger than 16 cannot have their information collected without parental consent.
For the last 20 years, companies have been able to collect data from people as young as 13 providing the individuals had agreed to have their information shared. Due to social networks like Facebook and Instagram collecting data on their users, this rule partly dictated the minimum age of someone signing up for a range of popular online services.
EU member states can however set this back to 13 should they so wish.
There is also space for consumers to have a “right to be forgotten” should they wish to do so. This would allow people to have traces of their past erased from the databases of companies that use them for marketing purposes, so long as there are legitimate grounds for them not to be retaining it.
An example of this going to work could be an old customer looking to sever their ties from a company they previously engaged with.
The rules are set for publication next year, with planners expecting them to be implemented in the 12 months that follow.