Massive fines planned in European data breach crackdown

The European Commission could impose huge fines on companies who breach new data laws, currently under review, even if they are based in the United States.
Written by Zack Whittaker, Contributor

The European Commission could directly impose severe fines against companies that breach European data protection laws, sources confirm.

The new European Data Protection Directive, set to be unveiled next month in January, will contain provisions for the Commission to impose fines of up to 5 percent of a company's global turnover.

In a similar case, under current European law, the Commission can fine companies that breach its antitrust laws up to 10 percent of its global turnover; regardless of where they are headquartered.

Fines imposed by the Commission in line with the new directive could amass billions of dollars worth of revenue for large companies, such as Google, Microsoft, or Facebook, even in their native U.S. homeland.

Though these companies have its head office in the United States, it operates in Europe, forcing it to oblige by both U.S. and European law.

But some members of the European Parliament (MEPs) are still concerned that the law will not patch existing flaws relating to third-country legislation, and are seeking emergency legislation.

More than half a dozen MEPs from Europe's lower house are seeking emergency legislation in a bid to enforce European law "not in the future, but today".

Viviane Reding, vice-president of the European Commission and Commissioner for justice, fundamental rights and citizenship, said last month that the updated European data protection directive would amend current laws, used by the 27 member states as foundation legislation, as to to protect European interests from third-country legislation.

Reding said in a speech on November 29th [PDF] that the new proposals would "in concrete terms" oblige companies to "notify data protection authorities and the individuals concerned when a data breach is discovered".

Plans in the new directive would include forcing companies to inform data protection authorities and their clients or customers that their data has been compromised.

These measures would force U.S. companies working within Europe to strengthen their data protection policies, circumventing current lax data protection laws in the region.

Recent breaches of data brought high-profile companies great embarrassment, but no legislative punishment, bar public anger and a public-relations disaster management exercise to manage.

U.S. data protection laws are currently under review, as part of the trans-Atlantic data sharing agreements.

Rosemary Jay, former head of the UK's data protection authority's legal office, and senior attorney at Hunton & Williams, welcomed the comments from Commissioner Reding last month, but warned that the solution to third-country laws may be more intractable than her comments suggest.

"U.S. companies are put under pressure to disclose information to the U.S. government because those companies are subject to American law, either because they are operating in the U.S. and holding data on EU citizens as a result, or the operation is headquartered in the U.S. or their EU branches are controller from the US".

"Whatever changes are made to EU laws cannot change the US position", she added.

"Indeed if EU laws were to be 'strengthened' to forbid companies from making disclosures in cases in response to requirements imposed by the U.S. government agencies those companies would be placed in an even more difficult position.

"It would be ironic indeed if an initiative aimed at trying to resolve this problem made life even more difficult than it already is for business".



Editorial standards