On December 15 European Union officials reached a final agreement approving new data protection regulations. Expected to go into effect in early 2017, the new rules replace the current data protection directive, which has been in place since 1995. Unlike the old directive, which allowed member states to adapt its requirements to national law, the new rules contemplate centralized enforcement in which companies report to a single privacy regulator in each member state. Among other reforms, the regulations (i) subject multinational companies to substantial new fines of up to 4% of the company’s annual global revenue, (ii) codify the “right to be forgotten” into European law giving people the right to request that companies remove irrelevant personal data, (iii) require companies to inform regulators within 3 days of a data breach, (iv) require parental consent for minors’ use of popular social media platforms, and (v) extend the new rules to any company with customers in the European Union regardless of whether the company is based in the European Union. The new regulations were approved at a meeting of representatives from the European Commission, however the European Parliament and the national governments of the members states must still ratify the rules before they can go into effect.
You can read more about the new privacy rules here.