Speaking at a news conference in Brussels on Friday, when the general data protection regulation (GDPR) came into force, Willem Debeurkelaere threatened strict enforcement of penalties for offenders.
He said, “Companies and others have had two years to prepare for today so, no, there will be no grace period.”
He said each case of alleged non-compliance would be treated “on its own merits” but “proportionality and accountability” would be taken into account before any sanction are taken.
Debeurkelaere, deputy chair of the European Data Protection Board (EDPB), the supervisory body that will oversee the GDPR, was speaking after it emerged that a number of news websites have been taken offline for European audience under the new rules.
The LA Times, The New York Daily News, Chicago Times, Chicago Tribune, Orlando Sentinel and Baltimore Sun are all blocked from those trying to access the news in European countries.
There have also been accusations that Facebook and Google have already breached the new regulations.
Andrea Jelinek, who chairs the EDPB, admitted that a case had been opened against Facebook and was one “several complaints” the authorities had already received about “non-compliance” with the regulation.
No details were given but the case does not, said the EDPB chief, involve Cambridge Analytica and the recent data breach.
On the issue of sanctions, she said the national data authorities in each member state had the power, under GDPR, to issue “warning and reprimands.”
She said fines were an option but that such as must not be “disproportionate or dissuasive”.
“The GDPR was actually adopted two years ago so there has been plenty of time for people to prepare to this. We have provided preparatory assistance for today. Trust is the heart of this issue so it is vitally important that companies have the trust of their clients.”
She added, “Today is not the end of anything but the start of a journey when individuals can regain control of their personal data.”
The protection of personal data is essential in a democratic society and this, she told reporters, was “at the core” of the new data protection rules, applicable from today.
“The key word of the reform is accountability. Companies, organisations and institutions should ensure compliance, verify compliance and demonstrate compliance both to individuals and at the request of a data protection authority.”
The EDPB, a relatively new and independent supervisory authority with responsibility for monitoring the processing of personal data by the EU, faced several questions about the consent, one of several legal requirements companies and others must meet in asking for personal data.
Jelinek said, “The importance of consent cannot be overstated enough. Consent must be written and freely given. It is a legal condition in asking for information or data.”
She said, “This much awaited legislation gives people great control over their personal data and a single set of rules applicable to everyone processing the personal data of individuals. In a world where data is treat as a currency the right of people have been overlooked or even flouted.
“We should not lose sight of the fact that personal data is inherent to human beings. I’m convinced the GDPR gives people and supervisory bodies the means to effectively protect and enforce this basic right.”
She said, “It is crucial we united our forces to ensure a high and consistent level of data protection for people, wherever in the EU they might be. We will also promote awareness of data protection rights to the public.”
Ventsislav Karadjov, who chairs the Bulgarian data protection agency and was also speaking at the press conference, said there would also be the possibility of compensation for individuals whose data is used without their consent.
Karadjov, also vice-chair of the EDPB, said the aim was to ensure a “consistent application” of the GDPR throughout the EU.
European Data Protection Supervisor Giovanni Buttarelli, who was also at the news conference, said, “This is an historic day for data protection in the European Union.
“The GDPR is fully applicable and brings with it a big shift towards the principle of accountability and stronger powers of enforcement. As the supervisory authority responsible for monitoring and ensuring the protection of personal data in the EU institutions and bodies, the EDPS has undertaken to ensure that the EU institutions will be adequately prepared.”
The GDPR replaces the EU data protection directive, which dates back to 1995.