The newly proposed EU data protection laws are the biggest shake-up of the area in Europe for nearly 20 years.
The aim behind the changes is twofold – to increase protection for personal data and harmonise regulation across the EU. Given that at the moment each of the 27 member states has its own laws, the idea of “one law to rule them all” is obviously good news.
The bad news is that they threaten to impose a potentially substantial burden on European businesses. While the focus has been on the news that US-based businesses operating on the web, such as Google, Facebook and Microsoft will fall under the jurisdiction of the law when offering goods or services to, or monitoring the behaviour of, European consumers, no matter where their servers are located, the impact on home grown businesses is substantial.
Fixed costs on medium-sized companies with over 250 employees will increase as they will need to appoint a data protection officer, no matter how little personal data they actually process in Europe.
Individuals will have a qualified “right to be forgotten”, enabling them to request personal data is deleted “without delay” – not just on the original site, but across the web.
Data breaches will be punished heavily. Companies will be required to notify anyone affected as well as regulators “without delay, and where feasible not later than 24 hours after having become aware of it.”
And regulators will have the power to fine businesses up to two per cent of their annual global turnover for breaches of the law.
The new Regulation will need to be approved by both the European Parliament and Council of Ministers before it can come into effect. If this happens, it will be effective unilaterally across the EU two years and 20 days after it is published in the Official Journal of the EU.
The EU has talked of savings for businesses of €2.3bn per year by harmonising the current fragmented approach, but the worry is that implementing the law is going to wipe out these savings by adding to bureaucracy and red tape.
Given the potential costs involved, it shouldn’t just be the likes of Google and Facebook that are concerned about the impact of the law on their operations, but all businesses in Europe whatever their size.
Marc Dautlich is partner and Head of Information Law at international law firm Pinsent Masons.
Share this story