Firms face fines of up to two per cent of global annual turnover for data breaches

News

posted 26 Jan 2012

Firms face fines of up to two per cent of global annual turnover for data breaches

All businesses with EU clients will be liable under the proposed EC reforms

Firms may be fined up to €1m or two per cent of global annual turnover for failing to report serious data breaches within 24 hours, under proposed changes to the European Union’s 1995 Data Protection Directive.

If passed, the new rules will apply to all organisations that are active in the EU market and offer their services to EU clients.

The European Commission has proposed the introduction of a single set of rules on data protection which are valid across the EU. A new regulation would provide for increased responsibility and accountability for those processing personal data. In addition, a new directive would apply general data protection principles and rules for police and judicial cooperation in criminal matters; the rules would apply to both domestic and cross-border transfers of data.

The proposed new regime is expected to simplify data protection laws across Europe and make it easier for businesses to apply a single compliance standard across their European operations.

Organisations would only have to deal with a single national data protection authority in the EU country in which they have their main establishment. Unnecessary administrative requirements, such as notification requirements for companies, would be removed. The EC estimates this could save businesses around €2.3bn a year.

In addition, the current obligation on all companies to notify all data protection activities to data protection supervisors – which the EC says has led to unnecessary paperwork and costs businesses €130m per year – would be scrapped. The new regulation would instead provide for increased responsibility and accountability for those processing personal data.

Meanwhile, independent national data protection authorities would be strengthened to enable them to better enforce the EU rules at home. Organisations would be required to notify their national supervisory authority of serious data breaches as soon as possible (preferably within 24 hours).

The EC would like the national authorities to be empowered to fine organisations that violate EU data protection rules up to €1m or up to two per cent of global annual turnover. The maximum fine that can currently be levied in the UK is £500,000.

The proposed reforms will make “life easier and less costly for businesses”, said EU justice commissioner Viviane Reding, who is also the EC’s vice-president.

However, Alexander Brown, a partner at Simmons & Simmons, has warned that the new laws represent a major additional compliance burden for businesses. “There are a number of underlying issues for companies. The most significant is that the level of required compliance activity and sanction for non-compliance is set to go up dramatically. This is a huge change in the level of compliance burden and enforcement risk faced by companies.”

The commission’s proposals will be passed to the European parliament and EU member states for discussion. If carried through, the rules will become effective two years after adoption.