Data protection rules come into force across EU

The EU's flagship new data protection laws came into effect on Friday but hit an early hitch as several major US news websites were blocked to European users.

The Los Angeles Times and Chicago Tribune newspapers were among those inaccessible on the other side of the Atlantic following the introduction of the General Data Protection Regulation (GDPR).

Separately Facebook and Google already face their first official complaints under the new law after an Austrian privacy campaigner accused them of effectively forcing users to give their consent to the use of their personal information.

The EU has billed the GDPR as the biggest shake-up of data privacy regulations since the birth of the web, saying it sets new standards in the wake of the recent Facebook data harvesting scandal.

But it has also been blamed for a flood of emails and messages in recent weeks as worried firms rush to request the explicit consent of users.

TRT World's Reagan Des Vignes reports.

#HappyGDPRDay

It led to the hashtag #HappyGDPRDay taking off on social media as people sarcastically celebrated the end of the deluge of spam.

Even though the rules were officially adopted two years ago, with a grace period until now to adapt to them, companies have been slow to act, resulting in a last-minute scramble this week.

Companies can be fined up to $24 million or four percent of annual global turnover for breaching the strict new data rules for the EU, a market of 500 million people.

The definition of personal data has also been extended to biometric data including fingerprints and iris patterns, as well as racial and ethnic origins, religious faiths of the data subject in addition to conventional personal perforation such as name, address, identification number and IP address.

New law hailed but burdensome

Many privacy advocates around the world have hailed the new law as a model for personal data protection in the internet era and called on other countries to follow the European model.

Critics, though, say the new rules are overly burdensome, especially for small businesses, while advertisers and publishers worry it will make it harder for them to find customers.

The GDPR clarifies and strengthens existing individual privacy rights, such as the right to have one's data erased and the right to ask a company for a copy of one's data.

But it also includes entirely new mandates, such as the right to transfer one's data from one service provider to another and the right to restrict companies from using personal data.

"If you compare the GDPR with the data protection directive you can really compare it with a piece of software upgrading from 1.0 to 2.0," said Patrick Van Eecke, partner at law firm DLA Piper.

"It's a gradual and not a revolutionary kind of thing ... However for many companies it was a huge wakeup call because they never did their homework. They never took the data protection directive seriously."

Boon for activists 

Activists are already planning to leverage the right to access one's data to turn the tables on large internet platforms whose business model relies on processing people's personal information.

That means companies are having to put in place processes for dealing with such requests and educating their workforce because any non-compliance could lead to stiff sanctions.