Soul-searching begins for the likes of Google as EU gets new privacy law

14 April 2016. By Magnus Franklin.

EU lawmakers are poised to stamp their final approval on a new data-protection law today, in a vote starting a countdown to the day when breaking privacy rules could draw fines approaching those now reserved for price fixers.

Some provisions in the legislation before the European Parliament are relatively straightforward: Corporate executives won’t lose much sleep over the obligation to tell individuals why their data is being collected.

But other measures will require some soul-searching — especially for online companies such as Google and Facebook, which must decide how closely they can skate to the edges of the law. How, exactly, will they meet a requirement to let users “port” their personal data from one provider to another, free of charge?

The General Data Protection Regulation has had a lengthy gestation. A first draft was published in January 2012, but the preparatory work began long before. The GDPR, as it’s known, builds on a 1995 EU data-protection law and a narrower 2009 “e-Privacy” law for the telecom industry. The update seeks to retool the safeguards to fit the explosive growth of online services in the mobile Internet age.

Digital carrot

The new legislation promises to hand individuals considerable control over how and when companies can use their names, dates of birth, locations and other personal details. But this stick comes with a big digital carrot, offering corporations a single rulebook that will apply in the same way across Europe, replacing today’s patchwork of 28 slightly different laws in each EU state.

For companies big and small, the work will begin immediately to ensure they stay within the law’s boundaries when it enters into force around May 2018 — two years after its formal publication in the EU’s Official Journal.

Claiming ignorance of the new rules will be no defense: The regulation requires any company with more than 250 employees to appoint a data-protection officer responsible for compliance. Those handling personal data are required to ensure that their systems incorporate privacy considerations.

A second step for companies will entail mapping out the extent of their exposure to the law. Companies need to itemize the personal data they hold, how it was collected, and with whom they share it. Any business dealing with children will have special obligations, such as obtaining consent from parents for minors under age 16 (or less, in some cases).

Companies will also need to set up contingency procedures for handling incidents regulated by the new law. This could involve a data breach, which would need to be notified to authorities within certain deadlines. But it could also entail an individual’s request to have his or her information changed or deleted.

Communication departments will meanwhile need to explain to customers, in plain prose, how and why their personal data is being used.

A final set of checks for companies operating in several EU countries will involve determining which national watchdog they must report to. Those doing business outside the bloc will need to have safeguards in place to keep personal data from leaking outside the EU.

Fat fines

Some of these requirements will be easier to comply with than others, and the fining scale in the law is staggered, meaning lesser offenses carry lower penalties. But it’s clear that the new law needs to be taken seriously. Today, by contrast, privacy authorities can hand down only symbolic fines at most.

Under the new rules, companies breaking the law can face penalties of up to 20 million euros ($22.5 million), or 4 percent of their global sales, whichever is higher. This pushes the penalties for breaking privacy law toward the magnitude of those for cartelists and monopolists, whose fines can reach up to 10 percent of global sales.

All of this gives companies plenty of homework to do between now and mid-2018. But EU lawmakers aren’t finished yet. The law provides numerous clauses that need to be fleshed out with “delegated” or “implementing” acts from the European Commission.

These include decisions on the “adequacy” of the privacy laws of any country outside the EU. An adequacy decision paves the way for smooth data exchange with that country.

Without it, companies must rely on complicated alternative routes to legally export personal data they hold. But procuring an adequacy ruling can prove tricky, as seen with the fraught negotiations over the EU-US “Privacy Shield”.

The law also empowers the commission to approve “data-protection seals and marks” — technical standards certifying compliance with the new privacy law.

Enforcement

The greatest uncertainty about the new privacy rulebook lies in how it will be enforced. All eyes will be on national watchdogs, as enforcers and plaintiffs scrutinize how the legalistic wording translates into everyday life.

Some future litigation is sure to be anchored in key rulings from Europe’s highest court. These include decisions on the independence of regulators, the “right to be forgotten” online, and the need for telecom operators to retain data for security forces.

But many chapters of the law will remain shrouded in mystery until case law develops around them. Novel concepts and terms such as “pseudonymization” — the practice of reworking personal data to hide an individual’s identity — will likely need to be tested in the EU courts before being properly understood.

Those at most risk in this early phase of the law’s existence are household names in the digital economy. US companies that collect and manage vast amounts of personal data — think Apple, Facebook, Google and Microsoft — are sure to become attractive targets for enforcers eager to set examples.

Receive MLex Editor's Picks in Your Inbox

Complete this form to receive emails from MLex with selected highlights from our global coverage of regulatory risk and opportunity, as well as upcoming events, special reports and exclusive interviews.