Businesses breaching European Union privacy rules will face fines of up to 5 per cent of their global turnover under sweeping proposals to be unveiled next month.
In the first significant update of data protection legislation since 1995, companies found to have mishandled any personal data they hold – be it of their customers, suppliers or their own employees – will face the highest levels of fines, which could extend to billions of euros for large multinationals.
The measures are being finalised within the European Commission. They will have to be approved by national governments, some of which – especially Germany – will be reluctant to lose oversight on privacy matters to Brussels. The process is likely to take at least two years, with another two before the measures come into effect.
The proposals would bolster significantly the EU’s powers on combating data protection breaches, such as when companies sell customer data to third parties without authorisation or fail to adequately protect information held by social networks and “cloud computing” services.
Companies would have 24 hours to notify data protection authorities and the effected parties in cases where private data are compromised, as happened this year when the details of 77m Sony PlayStation accounts were hacked.
By ensuring the rules also apply to foreign groups’ European subsidiaries, the new rules will force global companies to strengthen their data policies.
A draft of the proposals seen by the Financial Times calls for all companies with more than 250 employees to dedicate staff to data protection issues, something currently not required in all European countries.
The rules will give the EU similar powers in policing privacy to those it wields in competition matters, where it can levy fines of up to 10 per cent of turnover for antitrust violations.
Brussels’ competition powers have resulted in fines of €1.1bn ($1.5bn) and €899m for Intel and Microsoft, respectively.
Some measures will have a particular impact on social media. Most notably, a contentious “right to be forgotten” will force the likes of Facebook and LinkedIn to allow users to delete information they have posted online, even after having previously given their consent for it to be public.