Other national variations will exist in rules governing the age at which children can consent to the storage of their personal information: It will range from 13 to 16 years depending on countries' existing legislation. Whatever the country, though, it will mean no Facebook or other social media accounts for pre-teens across Europe.
The second glitch is that the GDPR doesn't cover all kinds of data: Another piece of legislation, the 2002 e-privacy directive, covers information exchanged through electronic communications services such as fixed and mobile phone networks, and there are inconsistencies between that directive and the new data protection rules. The European Commission is aware of this, and on Monday opened a three-month public consultation on how this needs to change.
The GSM Association, a trade body for mobile networks, welcomed the arrival of the new rules and called on the Commission to use the consultation to address the inconsistencies between the GDPR and the existing e-privacy directive.
"Consumers should be able to enjoy consistent privacy standards and experiences, irrespective of the technologies, infrastructure, business models and data flows involved or where a company may be located," said GSMA Chief Regulatory Officer John Giusti.
He cautioned that too much privacy would be bad for business: "The right balance needs to be struck between protecting confidentiality of communications and fostering a market where innovation and investment will flourish."
John Higgins, director-general of IT industry lobby group Digital Europe, also warned that privacy has a cost.
"While we continue to believe that the final text fails to strike the right balance between protecting citizens' fundamental rights to privacy and the ability for businesses in Europe to become more competitive, it is now time to be pragmatic," he said via email.
National differences in implementation are also a danger for those doing business entirely online, and threaten the EU's plans for a digital single market.
"If Europe fails to properly implement the GDPR across all 28 EU Member States, this could render the digital single market incoherent," he said.
Joe McNamee, executive director of campaign group European Digital Rights (EDRi), said the business lobby had already removed much of what legislators put in the original data protection package, but "the essence" had been saved.
Approval of the GDPR makes a moving target of EU data protection law for officials working on the Privacy Shield, a legal mechanism allowing companies to guarantee compliance with EU privacy rules when exporting citizens' personal information to the U.S. for processing.
On Wednesday EU data protection authorities called for a revision mechanism to be added to the draft Privacy Shield agreement to take into account future rules changes, including those now due to take effect in 2018.
Sign up for Computerworld eNewsletters.