Businesses could face a fine of €100 million or five percent of their annual global turnover, whichever is greater, following a European Parliament vote to strengthen the proposals for new EU data protection laws.
This is an increase from €1 million and two percent of global turnover, which was initially recommended by the European Commission on 25 January 2012, when it proposed a reform of the EU’s 1995 data protection rules to make it more relevant to the digital age.
“The European Parliament agrees that national data protection authorities need to be able to impose effective sanctions in case of breach of the law. It has proposed strengthening the Commission’s proposal by making sure that fines can go up to five percent of the annual worldwide turnover of a company.”
Other, stronger, reforms that have been approved by the parliament include increased restrictions on international data transfer and companies are now required to have a data protection officer if they process the personal data of more than 5,000 individuals.
Following this vote, the next stage is for justice ministers to meet on 5-6 December 2013 to continue the data protection reform discussions.
However, despite EC president Jose Manuel Barroso calling for a swift adoption of the reformed regulations before the end of this parliamentary term, some industry experts believe that the EC is taking too long in implementing necessary reform suggested over a year ago.
Belinda Doshi, partner at law firm Nabarro, said: “The latest text is disappointing and appears to be a knee-jerk reaction to the Prism revelations.
“It’s time for European lawmakers to ‘get real’, listen to business and quickly get on with the business of agreeing a realistic text for the draft General Data Protection Regulation. This type of posturing will only lead to further delay in agreeing the 21st century data law that the EU badly needs - a single data protection regulation with a one-stop-shop regulator principle.”
Ovum’s telecoms regulation analyst, Luca Schiavoni, agreed.
“The amendments include tighter rules for the transfer of personal data to non-EU countries upon request from a public authority, which should now be possible only on the grounds of EU law or treaties between countries. This seems to be a reaction to recent, headline-making stories such as the Prism scandal, and, if passed in this form, may strongly limit US companies’ ability to transfer European users’ data to the US.
In addition, Schiavoni believes that the reforms will still create more administration work for internet companies, and that the high financial penalty is too harsh for small companies.
“Working out in detail how to ensure that a user gives ‘explicit and informed consent’ to personal data processing also remains a challenge. This is very likely to turn into an extenuating box-ticking exercise for end users of online services and apps, and is likely to be burdensome for internet companies to implement.
Schiavoni added: “The set of fines seems to have been devised with some internet giants in mind, but it looks disproportionate for smaller companies. Clear regulation will be necessary to ensure that small start-ups can easily comply with it, without running the risk of being hard-hit for not complying with rules that appear difficult to implement.”
However, TK Keanini, CTO of US company Lancope, which provides solutions for network security, performance and application monitoring, believes that the level of fine is fair.
“The fines are necessary in my opinion,” said Keanini. “There must be pain or it will just be viewed as a ‘cost of doing business fee’. Getting this number right is critical and it already looks like some analysis went into a tiered model.
“Having no fines at all would be a mistake, having unreasonably high fines will just result in revision after revision until it settles down. And five percent is just painful enough to cause a change in behaviour.”