Massive fines planned in European data breach crackdown

Massive fines planned in European data breach crackdown

Summary: The European Commission could impose huge fines on companies who breach new data laws, currently under review, even if they are based in the United States.

SHARE:
TOPICS: EU, Google, Legal, Microsoft
5

The European Commission could directly impose severe fines against companies that breach European data protection laws, sources confirm.

The new European Data Protection Directive, set to be unveiled next month in January, will contain provisions for the Commission to impose fines of up to 5 percent of a company's global turnover.

In a similar case, under current European law, the Commission can fine companies that breach its antitrust laws up to 10 percent of its global turnover; regardless of where they are headquartered.

Fines imposed by the Commission in line with the new directive could amass billions of dollars worth of revenue for large companies, such as Google, Microsoft, or Facebook, even in their native U.S. homeland.

Though these companies have its head office in the United States, it operates in Europe, forcing it to oblige by both U.S. and European law.

But some members of the European Parliament (MEPs) are still concerned that the law will not patch existing flaws relating to third-country legislation, and are seeking emergency legislation.

More than half a dozen MEPs from Europe's lower house are seeking emergency legislation in a bid to enforce European law "not in the future, but today".

Viviane Reding, vice-president of the European Commission and Commissioner for justice, fundamental rights and citizenship, said last month that the updated European data protection directive would amend current laws, used by the 27 member states as foundation legislation, as to to protect European interests from third-country legislation.

Reding said in a speech on November 29th [PDF] that the new proposals would "in concrete terms" oblige companies to "notify data protection authorities and the individuals concerned when a data breach is discovered".

Plans in the new directive would include forcing companies to inform data protection authorities and their clients or customers that their data has been compromised.

These measures would force U.S. companies working within Europe to strengthen their data protection policies, circumventing current lax data protection laws in the region.

Recent breaches of data brought high-profile companies great embarrassment, but no legislative punishment, bar public anger and a public-relations disaster management exercise to manage.

U.S. data protection laws are currently under review, as part of the trans-Atlantic data sharing agreements.

Rosemary Jay, former head of the UK's data protection authority's legal office, and senior attorney at Hunton & Williams, welcomed the comments from Commissioner Reding last month, but warned that the solution to third-country laws may be more intractable than her comments suggest.

"U.S. companies are put under pressure to disclose information to the U.S. government because those companies are subject to American law, either because they are operating in the U.S. and holding data on EU citizens as a result, or the operation is headquartered in the U.S. or their EU branches are controller from the US".

"Whatever changes are made to EU laws cannot change the US position", she added.

"Indeed if EU laws were to be 'strengthened' to forbid companies from making disclosures in cases in response to requirements imposed by the U.S. government agencies those companies would be placed in an even more difficult position.

"It would be ironic indeed if an initiative aimed at trying to resolve this problem made life even more difficult than it already is for business".

---

Related:

Topics: EU, Google, Legal, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • Taxes in disguise

    All these governmental entities spend fortunes protecting their military and diplomatic data stores. The methods don't always work (see Wikileaks), but the measures taken are usually state-of-the-art. Instead of beating companies over the head, imposing fines that are just going to show up in the prices consumers pay, why don't they share some of the Secret Stuff that they are using themselves to protect data? That might actually get some data protected. Unless the real goal is to raise money while telling The Stupid People that they are "sticking it to the Man."
    Robert Hahn
  • RE: Massive fines planned in European data breach crackdown

    I wonder how they hope to modify the "Safe Harbor Agreement" that has been especially set up by Europe and the USA to handle such issues and conflicts.
    jsargent
    • RE: Massive fines planned in European data breach crackdown

      @jsargent It's likely to be scrapped, at least on the most part.
      zwhittaker
  • RE: Massive fines planned in European data breach crackdown

    They need money.
    trm1945
  • I have a question

    If the US companies have to follow both the EU and American laws to do business there. Do Eu companies have to follow American laws to do business here?
    NoThomas