It’s official. From 2017 on there will be new data protection legislation in the EU. The new legislation will be based on a 2012 proposal regulation. Politico explains:

  •  “The 28 member countries must adapt their national laws or pass new ones within two years from the new law’s official publication, expected early next year.”
  • “Broadly speaking, the general data protection regulation gives consumers more control over how their data is used and retained. Companies that don’t abide by the rules will face fines up to 4 percent of global sales.”
  • “The new law will also expand the potential liability for companies. Currently, only the data controller is liable for data breaches in the EU. Soon, both the controller and the data processors will be jointly liable for any damages.”
  • “The regulation also gives people the right to have their personal data corrected if inaccurate, and expands their right to remove irrelevant or outdated information. … Consumers will have the right to stop a firm using data when they close an account, for example, or they can stop marketing companies from building a data profile of them.”
  • “The age of consent for data processing — meaning the age to sign up for Facebook, Gmail or Instagram — will be the choice of EU countries. The regulation sets it at 16, but governments will can lower it to 13, which is the current limit for many U.S. social media companies The proposed change was not popular with tech companies or child-safety NGOs.”
  • “At the same time, Parliament wanted a person’s consent to process their data to be “explicit” — a higher bar than Council’s preferred “unambiguous.” In the end, Council won.”
  • “A final key sticking point: Should it be mandatory for companies to have a data protection officer? Parliament said yes, Council no. In the end, the job is mandatory, except for small- and medium-size companies, unless data processing is core to their business. … This will allow people to complain about a company in their home country rather than the country where that firm’s EU headquarters is located. In cases that involve multiple EU countries, the country with the headquarters will take the lead, and a new European Data Protection Board will help settle disputes.”

More sources here

My take on EU data protection legislation here