Businesses face €100m data protection fine after EU vote

European Parliament has voted to increase fines from two percent of global turnover to five percent

Businesses could face a fine of 100 million or five percent of their annual global turnover, whichever is greater, following a European Parliament vote to strengthen the proposals for new EU data protection laws.

This is an increase from 1 million and two percent of global turnover, which was initially recommended by the European Commission on 25 January 2012, when it proposed a reform of the EU's 1995 data protection rules to make it more relevant to the digital age.

"The European Parliament agrees that national data protection authorities need to be able to impose effective sanctions in case of breach of the law. It has proposed strengthening the Commission's proposal by making sure that fines can go up to five percent of the annual worldwide turnover of a company."

Other, stronger, reforms that have been approved by the parliament include increased restrictions on international data transfer and companies are now required to have a data protection officer if they process the personal data of more than 5,000 individuals.

Following this vote, the next stage is for justice ministers to meet on 5-6 December 2013 to continue the data protection reform discussions.

However, despite EC president Jose Manuel Barroso calling for a swift adoption of the reformed regulations before the end of this parliamentary term, some industry experts believe that the EC is taking too long in implementing necessary reform suggested over a year ago.

Belinda Doshi, partner at law firm Nabarro, said: "The latest text is disappointing and appears to be a knee-jerk reaction to the Prism revelations.

"It's time for European lawmakers to 'get real', listen to business and quickly get on with the business of agreeing a realistic text for the draft General Data Protection Regulation. This type of posturing will only lead to further delay in agreeing the 21st century data law that the EU badly needs - a single data protection regulation with a one-stop-shop regulator principle."

Ovum's telecoms regulation analyst, Luca Schiavoni, agreed.

"The amendments include tighter rules for the transfer of personal data to non-EU countries upon request from a public authority, which should now be possible only on the grounds of EU law or treaties between countries. This seems to be a reaction to recent, headline-making stories such as the Prism scandal, and, if passed in this form, may strongly limit US companies' ability to transfer European users' data to the US.

In addition, Schiavoni believes that the reforms will still create more administration work for internet companies, and that the high financial penalty is too harsh for small companies.

"Working out in detail how to ensure that a user gives 'explicit and informed consent' to personal data processing also remains a challenge. This is very likely to turn into an extenuating box-ticking exercise for end users of online services and apps, and is likely to be burdensome for internet companies to implement.

Schiavoni added: "The set of fines seems to have been devised with some internet giants in mind, but it looks disproportionate for smaller companies. Clear regulation will be necessary to ensure that small start-ups can easily comply with it, without running the risk of being hard-hit for not complying with rules that appear difficult to implement."

However, TK Keanini, CTO of US company Lancope, which provides solutions for network security, performance and application monitoring, believes that the level of fine is fair.

"The fines are necessary in my opinion," said Keanini. "There must be pain or it will just be viewed as a 'cost of doing business fee'. Getting this number right is critical and it already looks like some analysis went into a tiered model.

"Having no fines at all would be a mistake, having unreasonably high fines will just result in revision after revision until it settles down. And five percent is just painful enough to cause a change in behaviour."

Join the CSO newsletter!

Error: Please check your email address.

Tags securityeuropean commissionlegislationgovernmentIT BusinessEuropean Parliamentprivacy

More about EUEuropean CommissionEuropean ParliamentLancopeOvumPrism

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anh Nguyen

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts