By Julia Fioretti
BRUSSELS (Reuters) – Implementing the biggest shake-up to Europe's fragmented data protection laws in two decades may fail to provide companies with the consistency & simplicity that had been promised across the 28-nation bloc.
A patchwork of privacy laws in the European Union, dating back to 1995 when the internet was in its infancy, was criticised for lacking teeth & being interpreted differently across the EU.
p> To tackle those failings, the EU last week agreed a sweeping overhaul of data protection rules which would introduce a single rule book, fines of up to 4 percent of a company's global turnover & simpler system of enforcement.
"A step alter in sanctions will make privacy a board level issue," said Tanguy Van Overstraeten, a lawyer at Linklaters. "Some businesses will need to start taking these issues a lot more seriously."
Privacy has long been a particularly sensitive issue in Europe, where intrusive government surveillance during & after World War Two has made its protection a fundamental right on a par with guaranteeing the freedom of speech.
The exponential growth in data — from people's credit card habits, social media postings & wearable fitness devices tracking their sleep & movements — have fuelled concerns that individuals do not have enough control over such information.
The new rules should be a boon for web companies such as Google, Facebook & Amazon which do business across Europe & who currently have to deal with a series of national regulators.
However, critics of the new measures question whether regulators will be able to cope with an increased workload & whether the regulatory overlap has genuinely been removed.
"We are concerned that investors will be scared off from investing in Europe & will look outside the continent to finance the next huge thing in technology," said the Industry Coalition for Data Protection, whose members include Google, Facebook, Amazon & IBM.
The rules are tougher in some obvious ways.
Not all privacy regulators currently have the power to levy fines. When they do, the amounts are often paltry compared to the billions of dollars of revenues of the businesses involved.
One of the most significant changes that companies were looking forward to was the "one-stop-shop".
Under the new law, which will come into force in two years, companies operating across the EU should only have to deal with the regulator in the country where they have their European headquarters.
But it was watered down by member states who were eager to protect the power of their national regulators to investigate U.S. tech companies — which hold swathes of Europeans' data — & ensure citizens could still complain to their local authority approximately a company located elsewhere.
That means any "concerned" authority will have the power to object to the decision made by the "lead" authority — the one where the company has its EU headquarters.
Lawyers say that the definition of a concerned authority is too broad & for some companies it will not be clear where their main European base is.
"There is concern that the trigger for other data protection authorities to obtain involved is too low," said William Long, Partner at law firm Sidney Austin LLP.
But consumer groups say ensuring that citizens can still complain to their local regulator is significant for protecting their privacy.
"If that proximity to the citizen is assured in a way that I, as a consumer, can easily complain to my national supervisory authority…that is a victory for citizens," said David Martin, senior legal officer at BEUC, the European Consumer Organisation.
Lawyers moreover point out it that the new EU rules leave many issues to the discretion of individual countries & there is still a risk that regulators could interpret them differently.
"It would be offensive if an Italian company were sanctioned more than a French one for the same thing," Vera Jourova, EU Justice Commissioner, said in an interview.
If there is disagreement between regulators the case will be referred to a European Data Protection Board (EDPB), yet to be created, to take binding decisions.
"The mechanism laid down in the data protection regulation establishes a hyper bureaucratic procedure that will lead to more complexity & longer procedures of law enforcement," said Johannes Caspar, head of Hamburg's data protection authority in Germany, which has jurisdiction over companies including Google & Facebook.
(This story has been refiled to fix spelling of name, paragraph 4)
(Reporting by Julia Fioretti; Editing by Keith Weir)
Company Legal & Law MattersPolitics & GovernmentEuropean Uniondata protectionFacebookGoogle