Last Wednesday, the European Commission unveiled the changes to its data privacy laws. If the changes are adopted, companies will deal with a single, national data-protection authority in the EU country in which they have their main base. Individuals can tender complaints to the data-protection authority in their own country even when their data is processed by a company based outside the EU. Companies that break the rules would face fines from strengthened national regulators. The fine could be as much as 2% of annual global revenue.
The proposals include an individual’s right to be forgotten under which individuals will be able to delete uploaded personal information if there is no legitimate grounds to retain it. There is also an emphasis that consumers must give their express consent for their data to be share. In general, the proposals require explicit consent from the consumer.
Companies that deal with personal identifiable information from EU citizens need to revisit their privacy policies and determine if they need to be strengthened. Companies should also consider the U.S.-EU Safe Harbor Framework to ensure that their privacy policies comply with the EU Privacy Directive. The proposals will be passed on to the European Parliament and EU member states, and will take effect two years after they are adopted.