Companies enjoying the benefits of cloud computing may find that they increase the risk of receiving hefty fines, which could reach hundreds of millions of pounds, under future EU data protection rules.
Vinod Bange, partner at top London law firm Taylor Wessing, warned delegates at a seminar this week that the risks will be far greater under the new legislation.
“Regulatory sanctions have gone way off the scale in terms of what we are used to right now,” said Bange.
“The sting in the tail, which did not exist before, is that there is a provision to calculate a fine that is based on a percentage of annual global turnover. That’s big news and a big change,” he added.
“Organisations have moved on so much since the original legislation in 1995. In this globalised, outsourced, social media, cloud driven environment, you could end up with a third tier fine.”
Under the proposed EU laws, regulators would be able to fine companies according to three different tiers:
• Tier 1 - €250,000 (£209,000) or 0.5 percent of global annual turnover
• Tier 2 - €500,000 (£418,000) or 1 percent of global annual turnover
• Tier 3 - €1 million (£837,000) or 2 percent of global annual turnover
Third tier fines include breaches that relate to international data transfers, an error that could occur more easily when using cloud computing, thanks to datacentres located in international territories.
Bange warns that this could lead to far greater fines than the maximum £500,000 that can be issued by the Information Commissioners Office currently, and enterprises need to realise that signing off on this risk is significant.
“The risk for companies is much higher than what we are faced with at the moment. Signing off on that risk is a very different ball game compared to what exists right now,” said Bange.
“Looking at the average turnover of a FTSE 100 company and a Tier 3 fine, it could be a fine reaching hundreds of millions of pounds,” he added.
“Who within your organisation has the authority to sign off a risk of that proportion?”
The shake-up of the EU’s data protection rules is being pushed through in a bid to eliminate disparity between different laws across the EU’s 27 states.
The proposed changes are still in the early stages of development and are yet to be approved by EU member states and the European Parliament. Experts don’t expect the new legislation to be fully adopted until at least 2014.
In similar news, Google has today announced a new service called Google Apps Vault for Business, which aims to help companies reduce the costs of litigation, regulatory investigation and compliance actions.
Vault enables businesses to manage, archive and preserve data, which can then be recalled at any time using eDiscovery. This allows users to find and preserve data to respond to unexpected lawsuits or investigations.
The service will initially be available in the US and Latin America, but will also be launched in the UK in the next few weeks.