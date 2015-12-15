* Firms to face fines of up to 4 pct of revenues for
breaches
* Companies to report data breaches to authorities within 72
hrs
* Deal subject to final sign-off by EU Parliament, member
states
(Recasts, adds details, quotes)
By Julia Fioretti
BRUSSELS, Dec 15 The European Union agreed on a
sweeping overhaul of fragmented data protection laws on Tuesday
that will force companies to report data breaches and face huge
fines for misusing personal data.
The new law enables EU national authorities to levy fines of
up to 4 percent of revenues on firms breaking the law, which
could mean billions of dollars for big tech companies like
Alphabet Inc's Google, Microsoft Corp and
Facebook Inc.
Member states and EU lawmakers have been negotiating since
June to reach a compromise on the reform, which was proposed by
the executive European Commission almost four years ago to
replace a patchwork of national laws dating back to the 1990s.
Politicians hailed what they called a "breakthrough."
"Today everything is digital so we need rules for an
enormous amount of issues and those rules have to be applicable,
they have to be sensitive, they have to understandable for every
normal user," said Felix Braz, minister of justice of
Luxembourg, which holds the rotating EU presidency and therefore
led the negotiations on behalf of member states.
Under the new data protection regulation, companies will
face tighter restrictions on how they reuse Europeans' data,
something that will be of concern particularly to tech companies
that hold swathes of personal information and use it for
advertising.
Privacy concerns over where data is stored and how it is
used are rife in Europe, especially after former U.S. National
Security Agency contractor Edward Snowden revealed how U.S.
authorities harvested information directly from tech companies
like Apple Inc and Microsoft.
Companies will have to report breaches that are likely to
harm individuals to national authorities within 72 hours,
something legal experts expect will reveal the true scale of
data breaches in Europe.
Seeking to make operating across the 28-country EU easier
for companies, the new law establishes a single regulator for
multi-nationals in the country where they have their European
headquarters, the so-called "one-stop-shop."
However, uncertainty over how national data protection
authorities will be able to cooperate will lead to years of
litigation, lawyers say.
"This will come, it cannot be avoided," said Jörg Hladjk, a
lawyer at Hunton & Williams.
RIGHT TO BE FORGOTTEN
Businesses will have to get people's "explicit" consent to
use their data - something they have said is unwieldy when
dealing with huge sets of data - and appoint a data protection
officer to oversee privacy issues.
The regulation also enshrines the "right to be forgotten"
giving EU citizens the right to have obsolete information about
them deleted from the web, an issue that generated heated debate
last year when Google was ordered to scrub search results
appearing under a person's name.
Teenagers under 16 wishing to sign up for social networks
like Facebook and Twitter Inc will be able to do so
only with their parents' permission, unless individual countries
opt out and lower the threshold to 13.
Tuesday's agreement also includes a law protecting personal
data shared between law enforcement authorities.
The agreement is subject to final endorsement by both the
European Parliament and EU member states, expected by early next
week.
(Additional reporting by Alissa de Carbonnel in Strasbourg,
France; Editing by Barbara Lewis, Susan Thomas, Larry King and
Lisa Shumaker)