As Viviane Reding says greater fining powers are needed, top data protection lawyer warns about incoming laws
Strict rules on data protection, proposed by the European Commission, will lead to far more fines than anyone has predicted, a top privacy lawyer said today.
The comments came just two days after European Commission vice president and EU Justice Commissioner Viviane Reding reiterated the need for bigger fines for serious breaches of the law.
The regulation, currently being debated in Brussels, will include stipulations to report data breaches within 24 hours of discovering them and fines of up to two percent of company turnover.
Hefty privacy fines incoming
The UK regulator, the Information Commissioner’s Office, has already shown a willingness to fine businesses for breaches and will be given more remit to do so once the additional powers come into force, said Stewart Room, partner in Field Fisher Waterhouse’s Privacy and Information Law Group.
The government expected around eight fines would be issued each year when it gave the ICO powers to hit companies with monetary penalties, Room said. Insted, there were 18 in 2013 and 25 in 2012. The ICO has “risen to the challenge” of becoming an independent regulator unafraid of waving its stick.
If the current version of the European data protection regulation is approved, the fining situation in the UK “will be much worse than what everyone is telling you now”, he added.
But this is simply part of a worldwide trend of increasingly using a blunt legal instrument to punish businesses that err, Room said. “It has crossed the Rubicon internationally… the private sector is more exposed than the public sector now.
“If Europe is a hammer, everything it sees is a nail.”
Room recommended those organisations worried about this tougher regulatory environment focus less on general compliance and more on securing private personal data, as that is where their reputation is maintained or destroyed.
“When it comes to looking at regulatory pain, financial penalties, business needs to rebalance the focus away from general compliance issues, towards the security and confidentiality arenas. Too much energy has been focused on the wider compliance agenda. If you’re going to be driven by sanctions and bad publicity, you should re-focus towards security and confidentiality.”
Reding said on Sunday that companies who had betrayed customers’ trust should be punished accordingly and current fining powers were not enough. She pointed to the Google Street View breach, in which it siphoned off data from citizens’ Wi-Fi networks and delivered contradictory information to global regulators.
The subsequent fines were just “pocket money” for Google. In Europe, the tech titan was slapped with a number of fines, including a €900,000 penalty in Spain.
“Europeans need to get serious. And that is why our reform introduces stiff sanctions.”
In late 2012, TechWeekEurope uncovered widespread lobbying from US firms attempting to water down the legislation, but the Commission said it was standing firm.
Care about privacy? Try our quiz!