New EU privacy rule could cost U.S. firms billions

Elizabeth Weise | USA TODAY

SAN FRANCISCO — U.S. tech firms that don't adequately warn users in Europe how their information is going to be used could face fines in the billions of dollars under a new European privacy protection directive expected to be agreed upon Tuesday.

The new privacy directive requires tech companies clearly inform users what information about them is being collected and how it will be used, and get their consent to that use. It has been in the works for several years and will replace a patchwork of laws from the 1990s.

“A lot of the language in this regulation has been sharpened in response to U.S. companies walking very close to the line as far as complying with E.U. data protection regulations,” said Danny O’Brien, the international director of the Electronic Frontier Foundation, a San Francisco-based cyber rights group.

The new directive will also give E.U. residents the legal right to require companies to correct any information about them that is outdated or incorrect.

It also raises the age of data consent to 16. Users younger than that will be required to get parental permission to share information about themselves with companies, said O’Brien. Previously the age of consent was 13.

Users also will have the right to have their information deleted. For example, if they choose to delete their Facebook account, Facebook would have to also delete all the information it had collected about them, said O’Brien.

U.S. tech companies have fought against recent EU efforts that make it harder to, for instance, transfer data between European countries and the U.S.. Business lobbying groups warn costs of doing business in Europe will rise, leading to fewer services.

But this new directive will benefit them on one front: It's a single framework rather than separate and sometimes slightly different rules in each of the E.U.'s 28 member countries, which had been a major headache for firms doing business across Europe.

A sticking point of recent discussion has been the penalties companies would pay if they were found to not be in compliance with E.U. requirements.

The European Commission proposed 2% of a company’s global revenue as a fine, while the European Parliament has asked for 5%.

Robert Cattanach, a partner at the international law firm Dorsey & Whitney and expert on cybersecurity and privacy, says 4% seems likely.

“If you’re Google or Facebook, that’s a staggering amount of money,” he said.

For example, the Google parent company Alphabet had gross revenue of $66 billion in 2014. Four percent of that would be $2.6 billion. Facebook, with $12.47 billion in revenue, could face fines of $498 million.

“The EU now has a lot of extra weaponry to punish companies who it believes aren’t complying with its privacy rules,” said O’Brien.

Facebook cannot comment on the directive until the language is final, the company said.

For privacy rights activists, this isn't a question of European privacy standards being too stringent, but of the United States being behind the times.

“Threats to online privacy are on the rise — cyber attacks, data breaches, identity theft, and secretive profiling of Internet users,” said Marc Rotenberg, president of the Electronic Privacy Information Center in Washington D.C.

“Unfortunately, the United States is still caught in the last century, with privacy policies that provide no real protections to Internet users. The U.S. will need to update privacy laws to safeguard U.S. consumers and maintain trade relations with Europe,” he said.

The EU directive becomes effective two days after all 28 member states sign off on it. It is expected to come into force at the beginning of 2016. Companies then have two years to come into compliance, said O’Brien.