The EU Parliament and Council finally agreed on a text for the long-awaited General Data Protection Regulation yesterday, in a deal which could lead to fines of 4% of annual turnover for firms which break the rules.
The landmark agreement – which will harmonize data protection laws across Europe – will now go to a Civil Liberties Committee vote on Thursday before Parliament votes as a whole in the new year.
The regulation will then take effect in two years’ time in all member states, with no more room for negotiation or localization.
The regulation’s harsh penalties could see some of the world’s biggest companies paying billions if they are found to have contravened the law.
Also included in the provisions is mandatory notification of “serious” breaches to the relevant national supervisory authority; a single regulator for multi-national companies wherever their HQ is; and the mandatory appointment of data protection officers (DPOs).
There will also be much work for large internet service providers in order to meet “right to be forgotten” and “right to data portability” rules.
However, SMEs will be relieved of the burden of reporting breaches, are exempt from having to appoint DPOs, and can even charge a fee for data access requests if they’re deemed “unfounded” or “excessive.”
Member states will be able to set their own age limits between 13-16 on when parental consent is needed for children signing up to social media.
Part of the EU’s sweeping changes to data laws is the Data Protection Directive for the police and criminal justice sector. Unlike the regulation, this will be “transposed” by member states into their own laws.
It promises to “facilitate cross-border cooperation of police or prosecutors to combat crime and terrorism more effectively across Europe,” according to the European Commission.
The CBI’s interim chief policy director, Matthew Fell, was quick to criticize the new laws, claiming they “miss the mark for both businesses and consumers.”
“From driving research and development in healthcare to powering our free social media and search platforms, data analytics is a vital part of modern business. This new legislation could hamper that with unnecessary administrative burdens and costs, like mandatory data protection officers, placed on firms of all sectors and size,” he added in a statement.
“Businesses now need clarity from policymakers and regulators on what actually applies to their business so that they can mitigate the burden and cost of compliance as quickly and effectively as possible.”
But others were more positive. Andy Herrington, head of Cyber Professional Services at Fujitsu UK&I, welcomed the prospect of a single reporting and compliance regime, claiming it was right for a ‘cloud-first’ world.
“This new EU Data Protection regulation will help businesses become more proactive with regards to their hosting and data storage strategies. It means that service providers will be able to fulfill their role as a data processor, protecting the information it handles and stores on behalf of its customers, who as owners of the data, remain the data controllers,” he argued.
“The tougher fines and raised awareness should also drive a much better understanding in the C-suite, and wider business, of what data is held, its value to the business and the controls required to protect these valuable assets.”