Big companies to pay big fines for data misuse under newly-approved EU laws

© Pawel Kopczynski
Companies could find themselves paying billions of dollars in fines if they misuse people's information online, according to data protection laws backed by European officials. Large tech companies would be most affected by the legislation.

The data protection regulations – approved on Tuesday during a meeting of representatives from the European Commission, the European Parliament, and EU member states – outline that companies could be issued fines totaling up to four percent of their global revenues if they misuse Europeans' data online, or obtain information without people's consent.

That four percent could add up to huge amounts for big companies. For instance, Apple – which had revenues of nearly $234 billion in fiscal 2015 – could find itself shelling out $10 billion in fines if hit with a four percent penalty.

“This would be a major step forward for consumer protection and competition and ensure Europe has data protection rules that are fit for purpose in the digital age,” Jan Philipp Albrecht, a German politician who has campaigned for tougher penalties, said in a Tuesday statement.

Businesses would have to get people's “explicit” consent to use their data, and appoint a data protection officer to oversee privacy issues.

Companies would also be required to inform national regulators within three days of a reported data breach, and European citizens would have the right to ask that companies remove data about them that is no longer relevant or is out of date.

The laws would apply to any company that has customers in the EU – even if the company is headquartered outside the bloc.

According to European Justice Commissioner Vera Jourova, the approved rules are “good for citizens and good for businesses.” She said in a statement that both “will profit from clear rules that are fit for the digital age.”

But businesses – particularly large tech companies, which would be most affected – aren't as happy about the approved rules, with some complaining that they would unfairly target their activities more than those of smaller European rivals, the New York Times reported. That claim, however, has been denied by European politicians.

Companies such as Google and Facebook – which collect and mine data from social media posts and online search results as part of their online advertising strategy – have lobbied to either limit the strength of the legislation, or ensure that people have greater control over their online data.

In addition to its new rules for companies, the EU data laws state that anyone under 16 would be required to obtain parental consent before using social network sites such as Facebook, Snapchat and Instagram, unless any national government opts out and lowers the age limit to 13.

The rules also include a law protecting personal data shared between law enforcement authorities.

The legislation must still be approved by Europe's national governments and the European Parliament, which are expected to do so by early next week.