The European Union has agreed on a sweeping overhaul of fragmented data protection laws that will force companies to report breaches and face huge fines for misusing personal information. Under the new regulations, companies will face tighter restrictions on how they reuse Europeans' data, be forced to observe the "right to be forgotten," and will face fines of up to 4% of revenues if they don't, which could mean billions of dollars for big tech firms like Alphabet, Microsoft and Facebook.
The overhaul will also force firms to report data breaches or face stiff sanctions, and aims to make doing business across the EU easier by subjecting companies to just one regulator, in whatever country they have their European headquarters. EU governments and members of the European Parliament are expected to agree the new data protection law, which would replace a patchwork of 28 different laws and give regulators greater enforcement powers.
A problem with current laws, which date back to the 1990s, is that regulators can only levy fines which are puny in comparison to the revenues of the companies involved. Some privacy watchdogs do not even have that power. The threat of sanctions of 4% or 5% of global revenues, depending on the outcome of Tuesday's negotiations, should make businesses more mindful of data protection, lawyers and privacy activists say. However the new law aims to make doing business across the EU easier by subjecting companies to just one regulator, in whatever country they have their European headquarters.
Ross McKean, the head of Olswang’s data protection practice said:“GDPR (General Data Protection Regulation) is a paradigm change in the way that data collection and use is regulated. We have now moved from an era of relatively laissez-faire regulation of data in Europe to having the most stringent data laws in the world.
“Data permeates everything that we do in our digital lives and touches all organisations. The good news is that we have just over two years to prepare for the new regime. However in that time, organisations will need to completely transform the way they collect and use personal information.
The so-called one-stop-shop system seeks to prevent companies from having to deal with a different regulator in each country where they operate, a particular headache for the likes of Google and Facebook. The problem has been highlighted by Facebook's spat with the Belgian Privacy Commission, which sued the company even though Facebook argues it should only be regulated by the authority in Ireland, where it has its European headquarters.
The law will bring in strict requirements that national authorities be alerted within 72 hours of when data breaches occur, an issue highlighted by leaks of customer information at British telecom operator TalkTalk over the past year. Companies will also have to inform their customers of data breaches as soon as possible. The lack of reported big data breaches in Europe has bred widescale disregard for the everyday threats facing consumers and businesses, say cybersecurity, legal and policy experts.
For while headline-grabbing cyber attacks in the United States have become commonplace, the risks of stolen customer data in Europe may be similar, although far less seldom reported, because of a patchwork of outdated regulation.
Mark Thompson, Privacy practice leader at KPMG, comments on the General Data Protection Regulation (“GDPR”). He said: “We are pleased to see that the EU is on the cusp of agreeing the GDPR, which is a significant overhaul of European privacy and data protection laws. By the time the regulation comes into play in 2018, for a number of organisations, there will be a lot of work to do.
"Some of the finer points and their impact will become clearer when the final document is released in the New Year. While there will be different concerns by each sector, we understand that sanctions could run as high as 4% of a company’s annual global turnover and, some of the new requirements such as breach notification requirements, the right to data portability, the right to have your data erased are likely to cause significant challenges for organisations to implement the rules effectively.
“The adopted risk based approach provides a risk based application of a "one size fits all" set of rules across the EU and recognises the different levels of privacy risk associated with SMEs and large global organisations. Assuming that member states give the green light and the last few hurdles are passed, privacy will be catapulted up the list of global organisations’ enterprise risks, requiring them to re-evaluate their privacy risk postures and take action.
"For non-EU businesses that trade in the EU, this agreement will require some to re-think some of the activities they undertake in the EU. This makes it much harder to operate some “global” services and will require them to truly put an EU lens on the business activities which are undertaken in the EU market."Derksen, currently Director Enterprise Solutions, will be responsible for leading the firm’s corporate strategy, strategic development and acquisitions. In addition, he will lead the integration of national and international acquisitions, and drive internal projects with a focus on innovation.
Richard Brown, Director EMEA Channels & Alliances at Arbor Networks: “The new agreements around the EU Data Protection Act should make it simpler for cloud providers operating within the EU, but the initial barrier to this lies in the understanding of this new legislation. Changes to the definition of what is and is not personal data, the need for ‘explicit’ consent for data-collection and different documentation requirements all need to be interpreted, and any relevant changes made. Some of these changes may incur additional costs to business, while others may reduce overall expenditure, like the unification of regulation. But getting a good understanding of this will be a work-in-progress for many organisations.