European Data Protection Reform – The 100 Million Euro Fine

If your company touches any Europeans’ data you’d better prepare for what’s coming.

The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

The 100 million euro fine: outrageous sanctions set a disturbing precedent.

Under the current national European data protection laws enacted or amended in the wake of Directive 95/46/EC, administrative fines are rather limited – i.e. in Germany the maximum fine is €300,000 – and rarely imposed at all. The new regulation entails a paradigm change in that it introduces substantial sanctions for non-compliance with the new rules. While the Commission´s first draft still provided for fines up to 2% of the controller´s or processor´s turnover, the current regulation ups the ante and introduces fines of up to €100 million or 5% of the annual worldwide revenues of the non-compliant company. To avoid any disproportionate fines, the supervisory authority and ultimately the EU Commission, will have to pay close attention to the guidelines set forth in Article 79 Para. 2c. of the regulation that call for the consideration of various factors for the assessment of the gravity of an offense and the degree of fault by the controller or processor. It is likely that first time and unintentional offenders who aim to rectify any non-compliance in due course will be exempted from any fine, as well as alleged offenders in cases where the obligations imposed by the regulation are subject to interpretation. If there is any doubt about the nature or true extent of the Controller´s duties under the regulation, the latter should be construed in favor of the controller or processor in fines and penalty proceedings.

Leupold thinks “These fines are disproportionate. It’s really too much.” 2 percent of the global revenues was the original figure in the original draft of the commission in 2012. “5 percent may not sound much, but if you look at the €100 million, it’s disproportionate. It’s already raising strong concerns in the German government which is resisting this kind of fine, and I agree with them. It’s way too high.”

The reason why the commission thought fines should be increased is to deter foreign companies from not complying with the regulation. They also want to make the point that it’s no longer acceptable to disregard the European data protection laws and get away with no consequences.

Leupold stresses that the Commission´s approach must be taken seriously: “I’ve never seen a supervisory authority in the past 10 years or even 15 years to impose a hefty fine on any one of my clients. The usual procedure always is that you get a friendly letter advising you that you are not compliant and that you must act. Then if you do act and if you cooperate as a first time offender you don’t risk any fine. But to ignore the new rules of the General Data Protection Regulation can become a very costly mistake.”

An intriguing explanation for the prospected increase in fines points to the intense lobbying activity going on in Brussels. The data privacy industry is already a well established reality in Europe, definitely more than in the U.S.. And this industry can greatly benefit not only from bigger fines, but also from the regulation as a whole because it’s getting more and more complex.

“The EU wants to send a message to the whole world: You now need to take data protection seriously if you want to do business in Europe,” says Paolo Balboni, Scientific Director of the European Privacy Association and founding partner at ICT Legal Consulting. “However, the message may be not so effective. Company personal data protection compliance can be better fostered by a good balance between incentives and sanctions rather than only very high fines.”

Any regulatory approach needs to balance the carrot and the stick. The fines proposed in European laws are very heavy. However, the primary concern is on how they’re calculated. The precedent set by this regulation, could have very difficult consequences for the Internet in general. Having one regulation assess fines based on worldwide income, sets a disturbing precedent for a communications tool that crosses international boundaries.

“The fines that are currently proposed in the European data protection law are not only outrageous, they set a truly disturbing precedent for the Internet in general.”, argues Snead. “To fine someone based on their worldwide income it’s likely to send people away from your jurisdiction or to create methods so that they don’t have to comply. I don’t see how this is going to work. There are a large number of logistical and financial problems associated with it.”


Next: 24 hour disclosure or undue delay?

Previous: EU regulation vs. U.S. laws: a matter of cultural bias?

CREDITS

Dr. Andreas Leupold LL.M.

IT-Law, Outsourcing, Cloud Computing, Data Protection & Data Security.

Munich, Germany

David Snead

Internet Attorney and co-founder of Internet Infrastructure Coalition

Washington D.C. Metro Area

Paolo Balboni

Founding Partner at ICT Legal Consulting

Milan Area, Italy