EU data protection reform may promise more than it delivers
BRUSSELS: Implementing the biggest shake-up to Europe’s fragmented data protection laws in two decades may fail to provide companies with the consistency and simplicity that had been promised across the 28-nation bloc.
A patchwork of privacy laws in the European Union, dating back to 1995 when the internet was in its infancy, was criticised for lacking teeth and being interpreted differently across the EU. To tackle those failings, the EU last week agreed a sweeping overhaul of data protection rules which would introduce a single rule book, fines of up to 4 percent of a company’s global turnover and simpler system of enforcement.
“A step change in sanctions will make privacy a board level issue,” said Tanguy Van Overstraeten, a lawyer at Linklaters. “Some businesses will need to start taking these issues a lot more seriously.”
Privacy has long been a particularly sensitive issue in Europe, where intrusive government surveillance during and after World War Two has made its protection a fundamental right on a par with guaranteeing the freedom of speech. The exponential growth in data — from people’s credit card habits, social media postings and wearable fitness devices tracking their sleep and movements — have fuelled concerns that individuals do not have enough control over such information.
The new rules should be a boon for web companies such as Google, Facebook and Amazon which do business across Europe and who currently have to deal with a series of national regulators.
However, critics of the new measures question whether regulators will be able to cope with an increased workload and whether the regulatory overlap has genuinely been removed.
“We are concerned that investors will be scared off from investing in Europe and will look outside the continent to finance the next big thing in technology,” said the Industry Coalition for Data Protection, whose members include Google, Facebook, Amazon and IBM.
The rules are tougher in some obvious ways. Not all privacy regulators currently have the power to levy fines. When they do, the amounts are often paltry compared to the billions of dollars of revenues of the businesses involved.
One of the most significant changes that companies were looking forward to was the “one-stop-shop”. Under the new law, which will come into force in two years, companies operating across the EU should only have to deal with the regulator in the country where they have their European headquarters.
But it was watered down by member states who were eager to protect the power of their national regulators to investigate US tech companies — which hold swathes of Europeans’ data — and ensure citizens could still complain to their local authority about a company located elsewhere. That means any “concerned” authority will have the power to object to the decision made by the “lead” authority — the one where the company has its EU headquarters.
Lawyers say that the definition of a concerned authority is too broad and for some companies it will not be clear where their main European base is. “There is concern that the trigger for other data protection authorities to get involved is too low,” said William Long, Partner at law firm Sidney Austin LLP. But consumer groups say ensuring that citizens can still complain to their local regulator is important for protecting their privacy.