“Today’s vote by the European Parliament’s Industry Committee is an important signal that industry needs uniform and clear data protection rules to take advantage of our Digital Single Market,” said Vice-President Viviane Reding, the EU's Justice Commissioner.
But while the ITRE committee supports much of the Regulation, it actually rejects one of the major planks. It disagrees with the proposed mandatory fining scheme of up to 2% of an offending company’s global turnover. At the moment, each member state of the EU levies its own fining mechanism, ranging from nothing to the UK ICO’s maximum possible fine of £500,000. In reality, 2% of global turnover would reduce the maximum possible fine for most UK offending companies.
It would, however, dramatically increase potential fines for large international companies. Google is currently under threat from the Article 29 Working Party group of national data protection regulators. Were the proposed Data Protection Regulation in position, Google would now be facing a potential fine of around $2 billion. As it stands, it faces only a limited threat from a disparate group of national regulators – some of whom can levy no fine at all.
ITRE is recommending that the current regime should continue: individual countries should be free to levy fines of their own choice. “A warning as opposed to an immediate fine makes sense," said Sean Kelly, the Irish author of ITRE’s opinion. "The gravity of the offense needs to be taken into consideration.”
This will clearly be seen as a victory for the large multi-national companies, such as Google and Facebook, who have been lobbying hard against certain aspects – such as the 2% fines – of the Regulation. It is also a potential face-saver for the European Commission who will be able to claim that they sought a very strongly enforced regulation, without having to upset the multi-nationals by implementing it.
Privacy activists will be less happy, wondering about the value of a law without adequate enforcement.