Data breach law: Companies facing fines of five per cent of turnover

New EU data protection legislation to be proposed next month...

New EU data protection legislation to be proposed next month...

Companies that flout European data protection legislation could be fined up to five per cent of their global turnover under proposed EU data privacy laws.

EU justice commissioner Viviane Reding said next month she will put forward legislation to replace existing European data protection law, which dates back to 1995.

New legislation is needed to reflect the way technology has changed data handling in the 16 years since the original law was passed, Reding told the Second Annual European Data Protection and Privacy Conference on Tuesday.

European data protection law

A new European data protection law will be proposed next monthPhoto: Shutterstock

"In a world of ever-increasing connectivity, our fundamental right to data protection is in this moment seriously tested. Although the basic principles and objectives of the 1995 Directive remain valid, the rules need to be adapted to new technological challenges," she said.

Reding's speech follows a report in the Financial Times outlined what is thought to be the detail of the draft data protection law. An EC spokesman told's sister site ZDNet UK yesterday that the details of the report are correct but that the legislation is still in draft and subject to change.

Under the draft law the highest fines - five per cent of global turnover - could be levied against companies that mishandle personal data belonging to customers, suppliers or their own employees. Currently in the UK £500,000 is the largest fine that can be imposed on an organisation for breaching UK data protection laws by the government's data protection watchdog, the Information Commissioner's Office (ICO).

Under the proposed EU law companies that compromise private data will also have to notify the national data protection authority as well as affected parties within 24 hours of the loss. Currently in the UK there is no legal requirement for private companies to notify the ICO about any data loss.

The process of approving the new EU data protection law is likely to take at least two years, followed by another two years before the measures come into effect.

In her speech Reding said that the new law will simplify current data regulations by reducing the number of differing rules across Europe.

"I want to introduce one data protection law in Europe and have one single data protection authority for each business," she said.

Reding also highlighted the need to encourage cloud computing datacentres to be set up in Europe, saying in her speech that strong data protection rules would help to "build trust" in commercial operations.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All