Businesses face tough EC data protection laws

If leaks are to be believed, a proposed European Commission law will require countries to adopt stringent new data protection measures.

Recently leaked information gives details of a European proposal for a new data protection law. If the leaks are to be believed, the new law will require EU countries to adopt stringent new data protection measures. If breached they will allow for companies to be fined up to 5% of annual turnover. 

This is in stark contrast to the present theoretical maximum fine of £500,000. The European Commission has been debating such a law for at least 12 months and indeed sought submissions on possible changes over that period.

UK unwilling to take on large organisations

To date, the UK Information Commissioner's Office (ICO) has used its powers to fine companies sparingly. Indeed in the first 20 months the UK Information Commissioner has fined only two businesses. Excluding one nominal fine, the only fine imposed on a commercial company was to A4E Limited, a company acting primarily as a supplier of service to the public sector. All the remaining seven fines were of local authorities. 

History shows that at least in the UK, the information commissioner has no appetite to take on companies bigger than he is. Take, for example, the case of Google collecting Wi-Fi data unlawfully in preparation for its Street View service a few years ago. 

The UK ICO took no effective action against Google, unlike its counterparts in Germany, Italy, Switzerland, Canada and Czech Republic. In more recent times, the UK ICO has similarly failed to take action against Sony in respect of the Playstation hacking incident or against Facebook for tagging of facial features.

Banks face increased risks over data loss

This week has seen David Cameron throw down a gauntlet to the European Union to protect the London-based banking industry. The European Commission is proposing a radical change to the UK's softly-softly approach to policing the data protection legislation, by proposing that a new European bureaucracy would enforce the new legislation. 

It remains to be seen whether the British government will continue the stance it started last week in opposing this type of legislation. If it fails to do so, British industry and British banks in particular will face a very significant increase in the risks associated with data loss. 

Proposals will hit companies outside the European Union

The one silver lining in the cloud of the new proposals is the way in which they propose to tackle the cloud computing industry. Previously this industry, based as it is to a large extent outside the European Union, has been able to ignore European data protection rules. 

The European Commission is proposing to extend enforcement of the new European Union rules to all foreign companies operating in the European Union. This would mark a significant change. No longer would companies such as Facebook be able to hide behind a foreign veil. Instead, the new rules would allow their EU subsidiaries to be fined. 

Mandatory disclosure of breaches

However, a company can only be fined if the proposed European data policing authority knows that the company has breached data protection rules. Therefore the European Commission is proposing to require companies to report data protection breaches. 

This is consistent with EU commissioner Viviane Reding's remarks in a speech on 29 November 2011, when she said: “Our proposal will introduce a general obligation for data controllers to notify data breaches. In concrete terms, that means notifying data protection authorities and the individuals concerned when a data breach is discovered.” 

What is not yet known is whether all breaches must be reported or, more likely, only those over a certain threshold of importance. 

Right to be forgotten

A proposal that has been debated for a while is a “right to be forgotten”. A provision to achieve this will also be included in the new legislation. 

This will require Facebook and other social media networks to change their sites significantly to improve the ease with which individuals can require their data to be removed. All of this is significant, with Reding’s view that "the protection of personal data is a fundamental right". 

Dai Davis (pictured) is a solicitor and chartered engineer.

Read more on IT legislation and regulation