The GDPR laws are intended to give power back to citizens over how their data is processed and used
The data protection regulation’s stated aim is to give citizens back control of their personal data as well as simplifying the regulatory environment.
It could mean huge fines for companies that breach the law and offer some complex problems about how they store, delete and return data to citizens.
It is a modernisation of data protection laws drawn up in 1995, before mass internet adoption.
Four years in the making, the new laws’ stated aim is to strengthen the rights individuals have over their data and make companies take the issue of data protection far more seriously.
The rules will come into force in the summer. Then, member states will have two years to comply.
The most significant change will be an increase in the amount of money regulators can fine companies who do not comply with the legislation – up to 4% of their global turnover or 20m euros (£15.8m), whichever is greater.
Businesses will also be required to show how they are complying with the legislation.
It also makes it mandatory for large companies to employ a data protection officer. Data breaches, for example, must be reported within 72 hours.
The legislation will apply to any company that handles EU citizens’ data, even if that company is not based in Europe.
It has long been argued consumers often have no idea what happens to their data once they relinquish it to the big technology companies, and it is unclear whether this new set of rules will change that.
Companies will have to be more transparent about how they are using data, but this is likely to translate as even more complex privacy policies individuals, if they read them at all, may not fully understand.
There are provisions that could increase consumers’ rights over their data, but there are big questions about how they will apply in practice.
For example, the controversial right to be forgotten is being extended beyond web searches to all aspects of online life – so someone could ask Facebook or another social network to delete their profile entirely.
It is unlikely to extend to news articles that people want removed, which are likely to be protected under freedom of expression rules.
Similarly, there is provision in the new regulation for consumers to transfer their data from one service to another.
This could be a massive boon for consumers – allowing them to swap internet or email provider more easily and to shop around for services such as utilities and insurance.
Questions arise though over how companies would actually give data back, in what format and, more crucially, what data the user is considered to have provided.
Privacy is now big business, with consultants and lawyers lining up to advise companies on how to implement the changes and make sure their policies and procedures are in order.
The need to have more data protection officers could make companies go on a recruitment drive, but whether there are sufficient people to fill such posts is less clear.
Companies could see more legal challenges from individuals and consumer groups that take up privacy issues on behalf of citizens, but they may also see less challenges from individual country regulators, because of a “one-stop shop” clause that would put the onus on the regulator in the country in which the company is headquartered to pursue legal action.
This could mean regulators take a tougher line on US technology companies such as Google and Facebook.