The European Commission (EC) has been hoping to pass new data protection laws for over three years in a move that would radically shake up the legal landscape for businesses operating in the region.
The vision took a step closer to arriving this week after ministers in the Justice Council agreed on a finalised version of the laws, paving the way for final discussions between the European Parliament, the EC and the Council of the EU.
With change on its way, V3 has put together an overview of the law and how it will affect businesses when it arrives.
What will change?
In a word, lots. There are several major changes that will create some serious burdens for businesses from a financial and operational perspective.
The most eye-catching new law will mean that firms can face fines of up to two percent of annual global turnover. At present the biggest fine a firm can face in the UK is a rather paltry £500,000.
The two percent figure is actually a climb down by the EC from its previous suggestion of five percent, but this could still run into tens, if not hundreds, of millions of pounds, or euros, for major multinationals. The biggest possible fine for public agencies and charities will be €1m.
All businesses operating in Europe, regardless of their 'home' location, will also be bound by the new rules, which could further heighten tensions between US authorities, the EU and tech companies that operate in multiple regions.
Another key change is that the final regulation is almost certain to call for companies to have a dedicated data protection officer (DPO). The final parameters for the size and nature of firms that will require a DPO is yet to be finalised, but it is likely to be broad.
For consumers, there will also be a new ‘right to data portability’ which will force firms that have data on consumers to make it easy for information to be removed from the service or moved to another provider.
Finally, firms will have to be more clear about why they gather data and how it is used to give people more clarity into why they have to hand over certain information.
What happens next?
The regulations will now be sent to the European Parliament where it will be debated by MEPs. This could lead to some more hold-ups although, given that the Parliament is often pro-consumer, any changes that do come in are likely to create more headaches for businesses, not fewer.
When will all this come into effect?
Soon. The EC hopes that the law will be signed off before the end of the year, at which point it will instantly become law across the EU. This is because the new law is a regulation, not a directive. This is a notable difference.
The 1995 directive did not become law until 1998 in the UK under the Data Protection Act, giving businesses plenty of time to see how the law would work and prepare for its implementation.
However, as a regulation, once the law is passed it will become binding across all member states. This means that the law could be live and in place before the end of the year, something that may catch many firms unaware.
Mark Weston, a partner at law firm Matthew Arnold & Baldwin LLP, told V3 that the EC could apply a grace period to ease firms into the new data protection regime, but there is no guarantee they will do this.
“I would be amazed if they don’t apply some grace period, but they could bring it straight in as they’ve done that before,” he said.
Of course, there is a major question mark on the horizon in the form of the referendum on the UK’s involvement in the European Union, set to take place in 2016.
At the moment it’s impossible to know how this will play out so businesses are probably best advised to plan for the new EU laws, which are likely to arrive before the referendum takes place.
“Our advice to companies is to nominate an individual to ‘own’ this directive and its implications from this early stage so that they can prepare properly, and not to be afraid of seeking external advice,” added Weston.
Morphisec discovered malware compromise first, claims Avast, not Cisco
Fabes has held senior IT positions for over 30 years
Can Alienware's latest and greatest topple the mighty ASUS ROG Zephyrus as the most powerful gaming ultrabook we've seen?
Jacky Wright takes over from interim CDIO Mike Potter