Companies face fines as high as 2 percent of yearly global sales for mishandling or losing personal data under an overhaul of European Union privacy rules.
The 27 EU data-protection agencies would be able to sanction companies that don’t comply with tougher rules on handling personal information, proposed by the European Commission today. Online-advertising and social networking sites will also be covered by the policy, updating the EU’s 17-year-old data-protection policies.
The EU overhaul would also clamp down on data lapses such as Sony Corp.’s six-day delay in warning customers about a cyber attack that exposed more than 100 million customer accounts, the second-largest online data breach in U.S. history. Google Inc. was fined 100,000 euros ($129,600) last year by France, one of the few European privacy agencies with the power to levy financial penalties, over the company’s accidental collection of personal information from wireless networks.
“We will finish with this scandal,” said EU Justice Commissioner Viviane Reding at a press conference in Brussels. “Companies and organizations must notify serious breaches as soon as possible which means for me 24 hours” to the national regulatory authority and to the person whose data has been compromised.
Under the draft rules, serious violations such as processing sensitive data without an individual’s consent or without any legal justification, may be punished with penalties as high as 1 million euros or as much as 2 percent of a company’s yearly sales, the commission said. Less serious offenses would be punished with smaller fines.
The proposal will reduce the number of regulators a company needs to contact for data-protection issues across the region as the regulator of its home base will become a “one-stop shop.” In practice, this will mean that Ireland’s agency will be in charge of regulating companies like Google Inc. and Facebook Inc., which run their European operations from the country.
Wim Nauwelaerts, a lawyer at Hunton & Williams LLP in Brussels, said businesses welcome having one point of contact to reduce the legal uncertainty they currently face from multiple jurisdictions.
“Inevitably some data-protection authorities are going to receive more requests for clarifications,” Nauwelaerts said. “It’s going to be one of the challenges of data-protection authorities going forward, to make sure that they are adequately equipped.”
‘A Real Cost’
Companies could save as much as 2.3 billion euros a year as redundant, contradictory or unnecessary reporting requirements are eliminated, Reding said. Businesses currently face “a real extra cost” from “contradictory data-protection requirements,” she said.
The Business Software Alliance, a group which counts Microsoft Corp. and Apple Inc. among its members, said the proposal’s prescriptive approach to how data should be collected, processed and stored may “bog down companies with onerous compliance obligations which could inhibit digital innovation.”