The firm intention of all three is that a Data Protection Directive which covers law enforcement agencies and regulation which applies to companies will form a single package of reform to the current 1995 directive, and it will apply to all 28 countries and companies wishing to do business in the EU.
The three bodies have taken different approaches to implementing the 1995 regulations but are all now in agreement about the need for a common approach, with uniform fines and enforcement, less bureaucracy to make it easier for companies to operate across the EU and no less protection to the citizen than the current 1995 provisions. They envisage the directive will be ready by October and the package concluded by the end of the year.
An issue that remains to be agreed is the level of proposed fines for breaches, with parliament proposing fines of up to five percent of turnover, and the commission and council proposing fines of up to two percent of yearly turnover.
German MEP Jan Philipp Albrecht, who is lead negotiator for the EU parliament, while accepting that negotiations entail compromise, justified the higher figure, saying Parliament had looked at EU competition law enforcement where sanctions are up to 10 percent of the yearly turnover. “There has to be a clear signal that enforcement of the data protection law (is no longer) something technical, but is really having an impact on the ... economic dimension," he said. "There has been an impression that those enterprises with a lot of capital can (disregard) sanctions when ...not complying with data protection standards. A huge majority wanted (the fine to be) at least possibly up to five percent – applied case by case based on objective criteria, thus it would be rare (to go up to five percent). We also need a common view on enforcement.”
EU Justice Commissioner Věra Jourová agreed on the need for compromise and said that the Commission and Council, "will seek a level which is proportionate and effective,” emphasising that in implementation, there is discretion in enforcement on a case-by-case assessment.
The texts from each body were reported to be nearer to each other than expected, though differences remained on the rights of consumers and duties of data controllers, but there was agreement to give people greater control over data pertaining to them, and to know what it used for.
Currently only 15 percent of the 28,000 questioned in the latest Eurobarometer opinion poll, published by the Commission, felt that they had complete control over information they provided online whereas more than 30 percent said they had no control, and over 60 percent said they don't trust online companies. Most, 89 percent, said they want the same rights over their data regardless of the country where it is based.
In response to questions about data taken outside of Europe, Albrecht responded that the regulation would "make clear companies entering the market from abroad and targeting European citizens will have to apply these rules. We have to negotiate to get other countries to adopt similar measures, eg through an adequacy rating.”
Jourová added: “External companies and service providers coming to Europe will have to comply with EU rules. If data is sent outside EU, either that country has a similar level of controls or there are bi-lateral agreements, or agreements on an individual basis, or special agreements, such as Safe Harbour.”
In the UK, a new report from Experian suggests that as a result of the changes, mid-sized and large businesses could be in line for fines totalling £20 billion if they fail to protect their customers from data breaches yet UK businesses appear to be acutely under-prepared when it comes to the aftermath. Almost a fifth (17 percent) of companies have lost confidential information in at least one breach over the last two years and 57 percent of those affected experienced multiple breaches:
- Less than half of the organisations surveyed (47 percent) would notify their customers ‘as quickly as possible'
- 43 percent would offer a dedicated support team to reassure customers
- Just 16 percent say they would financially compensate anyone affected by a breach.
“The introduction of EU Data Protection Regulation, expected to come fully into force within the next three years, will fundamentally and dramatically alter the data breach landscape. Even in the absence of a strict notification law at this time, it is well within companies' best interest to put preventative measures and plans in place now. The companies that stay ahead will be those who focus on protecting their customers,” commented Amir Goshtai, managing director, Affinity, Experian Consumer Services.
On top of the fines, almost two-thirds (63 percent) of people say they would leave an organisation if their personal information was compromised. Customer confidence and loyalty would also be greatly affected with eight in ten Britons declaring that their overall level of trust in an affected company would decrease (80 percent) and their opinion of the organisation would worsen (79 percent). More than two thirds (67 percent) said they would advise their friends and family against doing business with a breached organisation.