Firms face tough new EU fines for data breaches

Companies may be fined up to two percent of global turnover for serious data-protection infractions in Europe under rules proposed by the European Commission
Written by Tom Espiner, Contributor

Businesses may be fined two percent of turnover for serious data breaches under tough new data-protection rules proposed by the European Commission.

Viviane Reding EU

EU commissioner Viviane Reding has said firms could be fined up to two percent of turnover for serious data breaches, under new proposals. Photo credit: European Commission

Firms should inform national data-protection authorities within a day of serious exposure of personal data, justice commissioner Viviane Reding told a press conference in Brussels on Wednesday.

"Companies and organisations must notify [authorities] of serious data breaches as soon as possible — and to me, that means within 24 hours," said Reding.

The two-percent figure is a slight climbdown for the Commission, which had considered a five-percent fine level.

Under the Commission's proposed changes to the 1995 Data Protection Directive, companies can be fined up to €1m (£830,000), or two percent of global turnover, for serious violations of the regulations. For example, processing sensitive data without an individual's consent will be considered a serious violation, according to a Commission FAQ.

For less serious breaches of the rules, such as a company charging people a fee for requests for their personal data, firms can be fined €250,000 or up to 0.5 percent of turnover. Companies can be fined on a sliding scale depending on the severity of the breach: for example, penalties of up to €500,000 or up to one percent of turnover may apply for not supplying information to a user or for not rectifying incorrect data.

National data protection watchdogs will have their powers extended so they can enforce the new rules, the Commission said in a statement on Wednesday.

Single point of contact

One of the aims of the new rules is to provide businesses with much simpler data protection administration throughout Europe, according to Reding. National data authorities will become the primary point of contact for companies dealing with Europe-wide data questions, and the legislation aims to provide a single set of rules for data protection across Europe.

National regulators will be a one-stop shop for companies, and also a one-stop shop for citizens.
– Viviane Reding, EU

"National regulators will be a one-stop shop for companies, and also a one-stop shop for citizens," said Reding.

Rationalisation of data-protection administration, such as notification requirements across Europe, should save companies €2.3bn per year, according to the Commission.

The data-protection rules aim to strengthen consumer protections. When consent is required for data processing, that consent has to be explicit. People will have a right to data portability — they should be able to transfer personal data from one service provider to another.

Facebook and Google

European data-protection authorities will have jurisdiction over companies active in the European market which handle Europeans' personal data abroad. Companies such as Facebook and Google must comply with European data rules said Reding.

"American companies... have to apply European law, like everybody who is doing business in Europe. Full stop," said Reding.

The rules will enforce a "right to be forgotten", which will allow people to request that their data is deleted. Companies faced with a request for deletion of data will have responsibility to pass that request on to companies that have copies of that data, according to Marc Dautlich, head of information law at Pinsent Masons.

"The right to be forgotten will undoubtedly have an effect on internet platforms," Dautlich told ZDNet UK on Wednesday. "Even if I take down data from Facebook, I haven't got rid of it, because it's going to appear in Google's and all search engines' cache."

Compliance would have other implications — organisations with over 250 employees will have to employ a data-protection officer under the proposed rules, he said.

The Commission's new rules will go to the European Parliament and to the European Council for debate. Once adopted by these bodies, the legislation will take two years to come into effect.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Editorial standards