EU's tough new data protection rules

Activist group 'Raging Grannies' staged a demonstration outside Facebook HQ in California last week, calling for better consumer
Activist group 'Raging Grannies' staged a demonstration outside Facebook HQ in California last week, calling for better consumer protection and online privacy

The European Union introduces tough new data protection rules next month to give people more control over the way their personal information is used online, as Facebook is grilled over the Cambridge Analytica scandal.

The EU's General Data Protection Regulation (GDPR), which takes effect on May 25, will simplify rules by replacing the current patchwork of national laws and creating a Europe-wide regulator to enforce them.

Facebook chief Mark Zuckerberg told US lawmakers on Tuesday the plans to fall in line with GDPR rules as it seeks to rebuild its reputation after the Cambridge Analytica data breach.

US-British political research firm Cambridge Analytica plundered detailed on 87 million users to be used in the 2016 US presidential election.

Here is a run-down of the key elements of the GDPR:

Clear information

Companies gathering and processing personal data will have to tell their users who they are, what information they are using and why, how long it will be stored and who will have access to it.

The EU says the information must be "clear and understandable" and users have the right to access the personal data an organisation has on file about them.


Companies must ask for users' consent to process their data and clearly indicate how they will use it. The rules say this consent must be "an unambiguous indication of your wishes and be provided by an affirmative action.

"Companies won't be able to hide behind long legalistic terms and conditions that you never read," the EU says in official guidance to citizens.

Users will have the right to opt out of direct marketing using their data, and companies must give extra protection to sensitive on health, race, religion, sexual orientation and political beliefs.


Customers will have the right to access their data and have it transferred to another company, for example when they change from one cloud data storage provider to another.

The EU says this will make it easier for people to change providers for various online services and help new start-ups compete with existing social networks.

Right to be forgotten

Customers will have the right to ask a company to delete their data if there is no legitimate reason for it to be kept.

There have been concerns this could be abused by public figures such as politicians to hide embarrassing incidents, but the EU insists it is "about protecting the privacy of individuals, not about erasing past events or restricting freedom of the press".

Timely reporting

Companies must inform users of "without undue delay" and tell authorities within 72 hours.

Big fines

The GDPR includes a range of tools to enforce the new rules and punish companies for breaches. These include warnings and reprimands and stiff fines for more serious offences—up to four percent of a company's worldwide turnover.

© 2018 AFP

Citation: EU's tough new data protection rules (2018, April 11) retrieved 15 June 2024 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Explore further

EU: new rules will make data breaches 'very expensive' for firms


Feedback to editors