New EU law - biggest data protection change in 20 years by Marc Dautlich, Partner, Pinsent Masons on 25-Jan-2012

New EU legislation is about to bring the biggest shake up of data protection laws in Europe for nearly 20 years. It promises to impact the operations of web-based businesses such as Google, Facebook and Microsoft. However, it will also affect thousands of mid-sized companies and public sector organisations across Europe.

On Wednesday 25 January 2012 Viviane Reding, the European Commissioner for Justice, will announce new European data protection laws. These aim to increase protection for personal data and harmonise regulation across the EU.

Based on a draft of the laws leaked in November 2011, they are expected to include harsher penalties for companies that break the laws and a requirement for any data breaches to be reported without undue delay, which Ms Reding said she took to mean 'within 24 hours'.

Based on the draft Regulation and the draft Directive leaked in November, these new EU data protection laws will impose a potentially substantial burden on European businesses. While the focus has been on the news that US-based businesses operating on the web, such as Google, Facebook and Microsoft will fall under the jurisdiction of the law when it comes to European consumers, no matter where their servers are located, the impact on home-grown businesses is substantial. Fixed costs on medium-sized companies will increase as they will need to appoint a Data Protection officer, no matter how little personal data they actually process in Europe. And with fines that were mooted to be up to 5 per cent of a company’s global turnover, the penalties for non-compliance are extremely large.

While the new law aims to protect personal data some of the concepts will be extremely expensive for internet businesses to implement. For example the 'Right to be Forgotten' would mean that users could demand that social media networks such as Facebook erase any of their comments, not just from the network itself but the entire web, which would involve unprecedented co-operation with search engines to achieve. Given these factors it is vital that the details of the laws are worked out carefully if they are to achieve their aims of protecting consumers while not holding back business operations and innovation across Europe.

The new laws will be announced at the World Economic Forum (WEF) at Davos on 25 January 2012. They will comprise two documents – the General Data Protection Regulation, which will allow the free flow of data and the protection of individuals while the Police and Criminal Justice Data Protection Directive gives rights to those who work in law enforcement, for the purposes of prevention, investigation, detection or prosecution of criminal offenses.

Importantly, when it is ratified the Regulation will become applicable in all 27 member states immediately, while the Directive will need to be voted on by the parliaments of member states before passing into local law.

Marc can be contacted at Pinsent Masons and more information is available at: www.pinsentmasons.com

Tweets by @biz_works