|
 A patchwork of privacy laws in the European Union, dating back to
1995 when the internet was in its infancy, was criticised for
lacking teeth and being interpreted differently across the EU.
To tackle those failings, the EU last week agreed a sweeping
overhaul of data protection rules which would introduce a single
rule book, fines of up to 4 percent of a company's global turnover
and simpler system of enforcement.
"A step change in sanctions will make privacy a board level issue,"
said Tanguy Van Overstraeten, a lawyer at Linklaters. "Some
businesses will need to start taking these issues a lot more
seriously."
Privacy has long been a particularly sensitive issue in Europe,
where intrusive government surveillance during and after World War
Two has made its protection a fundamental right on a par with
guaranteeing the freedom of speech.
The exponential growth in data -- from people's credit card habits,
social media postings and wearable fitness devices tracking their
sleep and movements -- have fuelled concerns that individuals do not
have enough control over such information.
The new rules should be a boon for web companies such as Google,
Facebook and Amazon which do business across Europe and who
currently have to deal with a series of national regulators.
However, critics of the new measures question whether regulators
will be able to cope with an increased workload and whether the
regulatory overlap has genuinely been removed.
"We are concerned that investors will be scared off from investing
in Europe and will look outside the continent to finance the next
big thing in technology," said the Industry Coalition for Data
Protection, whose members include Google, Facebook, Amazon and IBM.
NATIONAL CONCERNS
The rules are tougher in some obvious ways.
Not all privacy regulators currently have the power to levy fines.
When they do, the amounts are often paltry compared to the billions
of dollars of revenues of the businesses involved.
One of the most significant changes that companies were looking
forward to was the "one-stop-shop".
Under the new law, which will come into force in two years,
companies operating across the EU should only have to deal with the
regulator in the country where they have their European
headquarters.
But it was watered down by member states who were eager to protect
the power of their national regulators to investigate U.S. tech
companies -- which hold swathes of Europeans' data -- and ensure
citizens could still complain to their local authority about a
company located elsewhere.
That means any "concerned" authority will have the power to object
to the decision made by the "lead" authority -- the one where the
company has its EU headquarters.
[to top of second column] |
Lawyers say that the definition of a concerned authority is too
broad and for some companies it will not be clear where their main
European base is.
"There is concern that the trigger for other data protection
authorities to get involved is too low," said William Long, Partner
at law firm Sidney Austin LLP.
But consumer groups say ensuring that citizens can still complain to
their local regulator is important for protecting their privacy.
"If that proximity to the citizen is assured in a way that I, as a
consumer, can easily complain to my national supervisory
authority...that is a victory for citizens," said David Martin,
senior legal officer at BEUC, the European Consumer Organisation.
Lawyers also point out it that the new EU rules leave many issues to
the discretion of individual countries and there is still a risk
that regulators could interpret them differently.
"It would be bad if an Italian company were sanctioned more than a
French one for the same thing," Vera Jourova, EU Justice
Commissioner, said in an interview.
If there is disagreement between regulators the case will be
referred to a European Data Protection Board (EDPB), yet to be
created, to take binding decisions.
"The mechanism laid down in the data protection regulation
establishes a hyper bureaucratic procedure that will lead to more
complexity and longer procedures of law enforcement," said Johannes
Caspar, head of Hamburg's data protection authority in Germany,
which has jurisdiction over companies including Google and Facebook.
(This story has been refiled to fix spelling of name, paragraph 4)
(Reporting by Julia Fioretti; Editing by Keith Weir)
[© 2015 Thomson Reuters. All rights
reserved.] Copyright 2015 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |
