© The Financial Times Ltd 2015 FT and 'Financial Times' are trademarks of The Financial Times Ltd.
January 22, 2012 4:35 pm
Businesses are bracing for a radical overhaul of European Union privacy rules to be unveiled this week, which some fret could result in costly burdens and large fines for errant companies.
The European Commission will on Wednesday propose far-reaching changes to rules dictating how companies handle any personal information, the first time EU regulations first crafted in 1995 are updated. The proposals will impose a single set of privacy standards in the EU’s 27 countries for the first time, overriding often divergent national rules.
Though watched particularly keenly by technology companies such as Google and Facebook, who store large amounts of personal data, the new EU privacy rules will impact the entire corporate landscape.
Any company maintaining databases that include personal information – be that customer records, internal human resources directories or any other list – will have to comply with the new rules, and be able to show how and why they are using personal data.
Businesses have long called for a single EU data protection structure, but many fear the new standards coming into force are far more stringent than those currently in place at national level.
“We have been pushing for harmonisation of privacy laws for several years, but we are concerned that these proposals may be too prescriptive,” said Ron Zink, Microsoft Europe’s chief operating officer and associate general counsel
A draft of the privacy proposals seen by the Financial Times calls for companies to be fined up to 2 per cent of their global turnover if they breach the new guidelines, leaving global multinationals facing bills worth hundreds of millions of euros. Viviane Reding, the EU justice commissioner behind the proposal, had originally pushed for fines to be set at 5 per cent, but the proposal was watered down just days ahead of its launch.
“The aim is to elevate data protection to the level where it needs to be taken seriously by chief executives and corporate boards, as opposed to technical compliance staff,” says Christopher Kuner, a privacy specialist at law firm Hunton & Williams.
Businesses are expected to lobby heavily for the privacy provisions to be amended as the proposal goes to the European Parliament and national governments for adoption, a process that is expected to take well over a year.
One particular concern is the need for companies to get the explicit consent from the people whose data they are processing. The head of the European Telecommunications Network Operators’ Association, a lobby group, warned in a letter to Ms Reding last week that “those rules need to be ... adapted to the online world, but we fear that requiring explicit consent will hinder the development of innovative online services and products”.
Companies offering online services are expected to question aspects of a newly created “right to be forgotten” which forms part of the proposal. This will force social networks such as Facebook and LinkedIn to allow users to delete information they have posted online, even after having previously given their consent for it to be public.
The EU’s proposals will include an obligation for companies that misplace any personal information to immediately notify both the authorities and the concerned parties, a rule which is currently in place only for telecoms providers. All companies with more than 250 employees will have to appoint a privacy officer to ensure data protection rules are being followed.
The law will for the first time apply to non-EU companies if they pitch their services to European consumers, a clause which has already been met by opposition from the US authorities.
But perhaps the most tangible impact for companies is that all their privacy issues in the EU will now be tackled by a single EU data protection regulator, which will be that of the country in which they have their main European operations.
A new European Data Protection Board, made up of the EU’s 27 national regulators and the EC, will co-ordinate cross-border cases, such as the one faced last year by Google’s Street View service, which prompted separate investigations in a dozen EU countries.
“That’s a big plus for companies, as dealing with 27 different national regimes is both expensive and cumbersome,” says Mr Kuner.
The impact of the new rules will be felt more in countries which have relatively lax data protection regimes than those where the rules are already tight.
Simon McDougall, managing director at Promontory, a privacy consulting service for businesses, says the EU-wide regulation will hit British companies the hardest, as the UK privacy regime is currently one of the most lenient in Europe.
Please don't cut articles from FT.com and redistribute by email or post to the web.
Sign up for email briefings to stay up to date on topics you are interested in