- EU negotiators back tougher data protection rules for bloc
- Firms risk fines as high as 4% of global sales for violations
Companies from banks to U.S. technology giants risk fines of as much as 4 percent of their global annual sales if they fail to protect their customers’ data, as the European Union agreed to beef up the powers of privacy regulators across the 28-nation bloc.
EU negotiators sealed the historic deal almost four years after the first proposals to overhaul the bloc’s 1995 data-protection law. The rules are expected to take effect from 2018, once Tuesday’s agreement at the European Parliament in Strasbourg, France, is rubber-stamped by lawmakers and EU governments.
Fighting privacy breaches in the EU is often a David vs Goliath task for thinly resourced data watchdogs in tussles with Internet companies such as Facebook Inc. and Alphabet Inc.’s Google. The breakthrough will plug gaping holes in the way privacy breaches are handled in the EU and paves the way for similar fines to those meted out to cartels and monopolies that abuse their market power. While some data watchdogs can fine as much as 1 million euros ($1.1 million), others can’t levy penalties at all.
"There was wrangling until the last moment to find the right compromise,” said German Green lawmaker Jan Philipp Albrecht, the parliament’s chief negotiator in the talks with governments and the European Commission. “We fixed high sanctions, which was important” for the assembly.
Measures to regulate the use of personal data in law enforcement and criminal prosecutions also won approval, despite calls for a suspension of the talks shortly after the Nov. 13 suicide attacks in Paris that claimed the lives of 130 people.
Under Tuesday’s deal, companies will also be obliged to disclose breaches, such as hacking into corporate databases. The growing threat to companies that control a treasure trove of client data was underscored by recent cyber attacks on the U.K.’s TalkTalk Telecom Group Plc and Hong Kong electronic-toy maker VTech Holdings Ltd.
“These new pan-European rules are good for citizens and good for businesses,” EU Justice Commissioner Vera Jourova said in a statement. They will “profit from clear rules that are fit for the digital age, that give strong protection and at the same time create opportunities and encourage innovation.”
Felix Braz, Luxembourg’s justice minister whose team led the negotiations and helped seal the deal for EU governments, said the accord is “a fair compromise.”
Business groups have criticized the sanctions proposals and a so-called one-stop-shop mechanism, aimed at making one of the EU’s 28 regulators the lead in cross-border cases.
ETNO, a group of European phone operators, welcomed the deal, but said the industry now faces double-regulation because an existing “ePrivacy” law designed to protect data is already in place.
“Europe needs to address this regulatory asymmetry without delay,” Brussels-based ETNO said.
Luxembourg made it a priority when it took over the rotating six-month EU presidency in July to get an agreement before the end of the year. Braz last week conceded that the discussions “have not been easy.”
Revelations by former U.S. National Security Agency contractor Edward Snowden about U.S. government surveillance activities and mass data collection shattered trust among citizens, wary of how their private details would be used and abused.
A 15-year-old accord that smoothed the way for companies to transfer data across the Atlantic was struck down by the EU’s top court, partly on fears that EU citizens would be powerless to protest about U.S. spies gaining access to their private details.
Jourova said last week that one of her goals was rebuilding a “deep trust” among citizens. Jourova, who inherited the proposals from predecessor Viviane Reding, rejected fears the plans would stymie law enforcement agencies as counter-terrorism takes center stage.
“On the contrary, it gives them more clarity and legal certainty when exchanging data cross-border,” she said.