New European data protection laws: Risk of €100m fines for breaches

Mar 13, 2014 | France, Germany, Mobile, Online advertising, Regulation, Search engine marketing, Social media, UK

This week, the EU has updated its 19-year-old data protection laws, with stronger safeguards for citizens’ personal data. The new European data protection laws mean that companies found in breach of users’ personal data rights will risk fines of up to €100m. MEPs at the European Parliament voted, by a landslide majority count of 621 […]

This week, the EU has updated its 19-year-old data protection laws, with stronger safeguards for citizens’ personal data. The new European data protection laws mean that companies found in breach of users’ personal data rights will risk fines of up to €100m.

MEPs at the European Parliament voted, by a landslide majority count of 621 votes to 10, to back plans for a new data protection law framework in the EU.
The new rules aim to protect EU citizens against surveillance activities like the NSA web spying scandal last year, and covers all data coming from the region.
MEPs amended the rules to require any firm (e.g. a search engine, social network or cloud storage service provider) to seek the prior authorisation of a national data protection authority in the EU before disclosing any EU citizen’s personal data to a third country.
The firm would also have to inform the person concerned of the request.
Firms that break the rules should face fines of up to €100 million, or up to 5pc of their annual worldwide turnover, whichever is greater, say MEPs.
However, under the plans businesses would be able to obtain a certification from data protection authorities that their processing of personal data is compliant with the Regulation.
Businesses that are issued with a valid ‘European Data Protection Seal’ would face immunity from fines for breaches of the Regulation unless the breach was “intentional” or involved “negligent incompliance”.
‘One stop shop’ for privacy rules

The new rules include a right to have personal data erased, new limits to “profiling” (attempts to analyse or predict a person’s performance at work, economic situation, location, etc.), a requirement to use clear and plain language to explain privacy policies.
Any internet service provider wishing to process personal data would first have to obtain the freely given, well-informed and explicit consent of the person concerned.
“I have a clear message to the Council: any further postponement would be irresponsible,” explained rapporteur for the general data protection regulation, Jan Philipp Albrecht.
“The citizens of Europe expect us to deliver a strong EU wide data protection regulation. If there are some member states which do not want to deliver after two years of negotiations, the majority should go ahead without them.”
However, reforms to the data protection regime cannot happen unless both the European Parliament and the EU’s Council of Ministers, which is made up of representatives of individual member states, both agree on a single set of proposals.
The Council of Ministers has so far been unable to reach a consensus amongst its members on what a new data protection framework in the EU should look like. A number of different views have been expressed in particular over how the ‘one stop shop’ regulatory regime should work in practice.
The UK government has also issued concern about the suitability of proposed rules governing data transfers for the digital age.
Bad news for business?
UK trade body the DMA said the move was bad news for business, as the new rules place extra restrictions on how firms can track and understand user behaviour.
Commenting on the move, Chris Combemale. Executive Director at the DMA said: “Many countries including the UK, are insistent that the focus should be on getting the text of the Regulation right, rather than hitting artificial deadlines.
“Furthermore, this timetable could be subject to change with a new European Parliament following the elections in May and new European Commissioners, including the Justice Commissioner who has overall responsibility for the Data Protection Department, taking up office in November.”
What happens next?
It is likely that there will be three different versions of the draft Regulation by the summer:
1. The European Commission original text from January 2012
2. The text as amended by the European Parliament
3. The text as amended by the Council of Ministers
New Regulation unlikely to come into effect by the end of 2016
Three-way negotiations (trilogue) involving all the institutions are likely to start in the late summer and it is just possible that the Regulation could be agreed in Brussels by the end of this year. If this happens then the new Regulation will come into effect by the end of 2016 but this is highly unlikely.
How firms can prepare for the data protection changes
The DMA has issued some guidelines on how UK firms can prepare for the changes:
Be 100% compliant with existing DP legislation
A good place to start is ensuring that your organisation is compliant with the existing UK data protection law, something that the deputy Information Commissioner, David Smith, urged the industry to do at Data protection 2014 on Friday 7 March.
Plan for opt-in consent
While we don’t know for certain if opt-in consent will feature in the new Regulation businesses need to think about how they would prepare for such a move in postal and telephone marketing. Businesses should think about how they obtain consent from consumers at the moment and whether consumers are aware of what they are consenting to.
Be ready for data breach notification requests
There will be a requirement for organisations to notify consumers and data protection authorities of data security breaches so organisations should know which individuals they hold personal information about and where the personal information is kept. Organisations who have this information will find it easier to report data security breaches to individuals and data protection authorities.
Make data a priority
Organisations should also begin to think about building data protection into any developments at an early stage (privacy by design) and carrying out privacy impact assessments.
In a statement, the DMA said it will “continue its efforts to ensure that the final version of the Regulation contains a balanced approach between the interests of consumers and the industry and will update members on developments.”
Combemale added some final advice for businesses: “You can take action now to prepare for the changes by looking at your data privacy notices, checking that you have the proper permissions in place and by ensuring your business complies with existing data protection laws.”
European Parliament official announcement