EU data protection reform may promise more than it deliver

Implementing the biggest shake-up to Europe’s data protection law in 20 years may prove difficult

Implementing the biggest shake-up to Europe’s fragmented data protection laws in two decades may fail to provide companies with the consistency and simplicity that had been promised across the 28-nation bloc.

A patchwork of privacy laws in the European Union, dating back to 1995 when the internet was in its infancy, was criticised for lacking teeth and being interpreted differently across the EU. To tackle those failings, the EU last week agreed a sweeping overhaul of data protection rules which would introduce a single rule book, fines of up to 4 per cent of a company's global turnover and simpler system of enforcement.

“A step change in sanctions will make privacy a board level issue,” said Tanguy Van Overstraeten, a lawyer at Linklaters. “Some businesses will need to start taking these issues a lot more seriously.”

Privacy has long been a particularly sensitive issue in Europe, where intrusive government surveillance during and after World War Two has made its protection a fundamental right on a par with guaranteeing the freedom of speech. The exponential growth in data -- from people's credit card habits, social media postings and wearable fitness devices tracking their sleep and movements -- have fuelled concerns that individuals do not have enough control over such information. The new rules should be a boon for web companies such as Google, Facebook and Amazon which do business across Europe and who currently have to deal with a series of national regulators.


However, critics of the new measures question whether regulators will be able to cope with an increased workload and whether the regulatory overlap has genuinely been removed. "We are concerned that investors will be scared off from investing in Europe and will look outside the continent to finance the next big thing in technology," said the Industry Coalition for Data Protection, whose members include Google, Facebook, Amazon and IBM.

National concerns

The rules are tougher in some obvious ways. Not all privacy regulators currently have the power to levy fines. When they do, the amounts are often paltry compared to the billions of dollars of revenues of the businesses involved. One of the most significant changes that companies were looking forward to was the “one-stop-shop”. Under the new law, which will come into force in two years, companies operating across the EU should only have to deal with the regulator in the country where they have their European headquarters. But it was watered down by member states who were eager to protect the power of their national regulators to investigate US tech companies -- which hold swathes of Europeans’ data -- and ensure citizens could still complain to their local authority about a company located elsewhere. That means any “concerned” authority will have the power to object to the decision made by the “lead” authority -- the one where the company has its EU headquarters. Lawyers say that the definition of a concerned authority is too broad and for some companies it will not be clear where their main European base is.

"There is concern that the trigger for other data protection authorities to get involved is too low," said William Long, partner at law firm Sidney Austin LLP. But consumer groups say ensuring that citizens can still complain to their local regulator is important for protecting their privacy. "If that proximity to the citizen is assured in a way that I, as a consumer, can easily complain to my national supervisory authority...that is a victory for citizens," said David Martin, senior legal officer at BEUC, the European Consumer Organisation.

Lawyers also point out it that the new EU rules leave many issues to the discretion of individual countries and there is still a risk that regulators could interpret them differently. “It would be bad if an Italian company were sanctioned more than a French one for the same thing,” Vera Jourova, EU Justice Commissioner, said in an interview.

If there is disagreement between regulators the case will be referred to a European Data Protection Board (EDPB), yet to be created, to take binding decisions. “The mechanism laid down in the data protection regulation establishes a hyper bureaucratic procedure that will lead to more complexity and longer procedures of law enforcement,” said Johannes Caspar, head of Hamburg’s data protection authority in Germany, which has jurisdiction over companies including Google and Facebook.