European Union privacy law comes into effect and companies are on alert.

(Reuters)- The new European privacy regulation came into effect on Friday and requires companies to be more careful about how they handle customer data.

The consequences were visible from day one, with major US media outlets, including the LA Times and the Chicago Tribune, forced to shut down their websites in parts of Europe.

People in the bloc were bombarded with dozens of emails requesting their consent to continue processing their data, and a privacy activist wasted no time in taking action against US giants for allegedly acting illegally by forcing users to accept intrusive terms of service or lose access.

“You have to have a 'yes or no' option,” said Austrian Max Schrems before filing complaints in European jurisdictions. “Many of these companies now force you to agree to the new privacy policy, which is totally against the law.”

The European Union's General Data Protection Regulation (GDPR) replaces a set of rules from the bloc dating back to 1995 and heralds an era in which breaches of privacy laws can result in fines of up to 4 percent of global revenue or 20 million euros, whichever is greater, compared to a few hundred thousand euros earlier.

Many privacy advocates praised the new law as a model for protecting personal data in the internet age and urged other countries to follow the European model.

Critics say the new rules are excessively burdensome, especially for small businesses.

The GDPR clarifies and strengthens existing individual rights, such as the right to erasure of data and the right to request a copy of data.

But it also includes entirely new rights, such as the right to transfer data from one service provider to another and the right to prevent companies from using personal data.

“It’s a gradual thing, not a revolutionary one… However, for many companies it was a big wake-up call because they never did their homework. They never took the data protection directive seriously,” said Patrick Van Eecke, partner at the law firm DLA Piper.

Activists are already planning to use their right to access their data to turn the tables on internet platforms, whose business model depends on processing personal information.

This means that companies are having to implement processes to handle these requests and train their workforce because any violation can lead to harsh sanctions.

One of the key provisions of the GDPR, the right to data portability, is causing particular confusion.

“I think data portability rights are quite significant, and it will take some time for people to figure out what the limits are and how they should comply with them,” said David Hoffman, Intel’s director of security policy and global chief privacy officer.

For example, music streaming services, such as Spotify, create playlists for users based on their musical preferences. While a user seeking to exercise their right to data portability can transfer the created playlists, the situation becomes complicated if the playlists were created by the streaming service using algorithms.

EU data protection authorities have said that individuals should be able to transfer data they provide, but not "derived data" created by the service provider, such as algorithmic results.

By Julia Fioretti