The European Union (EU) introduces tough new data protection rules next month to give people more control over the way their personal information is used online, as Facebook is grilled over the Cambridge Analytica scandal.
The EU's General Data Protection Regulation (GDPR), which takes effect on May 25, will simplify rules by replacing the current patchwork of national laws and creating a Europe-wide regulator to enforce them.
Facebook chief Mark Zuckerberg told US lawmakers on Tuesday the company plans to fall in line with GDPR rules as it seeks to rebuild its reputation after the Cambridge Analytica data breach.
US-British political research firm Cambridge Analytica plundered detailed personal data on 87 million users to be used in the 2016 US presidential election.
Here is a run-down of the key elements of the GDPR:
Companies gathering and processing personal data will have to tell their users who they are, what information they are using and why, how long it will be stored and who will have access to it.
The EU says the information must be "clear and understandable" and users have the right to access the personal data an organisation has on file about them.
Companies must ask for users' consent to process their data and clearly indicate how they will use it. The rules say this consent must be "an unambiguous indication of your wishes and be provided by an affirmative action.
"Companies won't be able to hide behind long legalistic terms and conditions that you never read," the EU says in official guidance to citizens.
Users will have the right to opt out of direct marketing using their data, and companies must give extra protection to sensitive information on health, race, religion, sexual orientation and political beliefs.
Customers will have the right to access their data and have it transferred to another company, for example when they change from one cloud data storage provider to another.
The EU says this will make it easier for people to change providers for various online services and help new start-ups compete with existing social networks.
Right to be forgotten
Customers will have the right to ask a company to delete their data if there is no legitimate reason for it to be kept.
There have been concerns this could be abused by public figures such as politicians to hide embarrassing incidents, but the EU insists it is "about protecting the privacy of individuals, not about erasing past events or restricting freedom of the press".
Companies must inform users of data breaches "without undue delay" and tell authorities within 72 hours.
The GDPR includes a range of tools to enforce the new rules and punish companies for breaches. These include warnings and reprimands and stiff fines for more serious offences -- up to four percent of a company's worldwide turnover.