BRUSSELS (Reuters) - A sweeping reform of fragmented laws governing the uses of personal data set to be agreed by the European Union on Tuesday will force companies to report privacy breaches to authorities or face stiff sanctions.
EU governments and members of the European Parliament are expected to agree the new data protection law, which would replace a patchwork of 28 different laws and give regulators greater enforcement powers.
A problem with current laws, which date back to the 1990s, is that regulators can only levy fines which are puny in comparison to the revenues of the companies involved. Some privacy watchdogs do not even have that power.
The threat of sanctions of 4 or 5 percent of global revenues, depending on the outcome of Tuesday’s negotiations, should make businesses more mindful of data protection, lawyers and privacy activists say.
However the new law aims to make doing business across the EU easier by subjecting companies to just one regulator, in whatever country they have their European headquarters.
The so-called one-stop-shop system seeks to prevent companies from having to deal with a different regulator in each country where they operate, a particular headache for the likes of Google and Facebook.
The problem has been highlighted by Facebook’s spat with the Belgian Privacy Commission, which sued the company even though Facebook argues it should only be regulated by the authority in Ireland, where it has its European headquarters.
The law will bring in strict requirements that national authorities be alerted within 72 hours of when data breaches occur, an issue highlighted by leaks of customer information at British telecom operator TalkTalk over the past year.
Companies will also have to inform their customers of data breaches as soon as possible.
The lack of reported big data breaches in Europe has bred widescale disregard for the everyday threats facing consumers and businesses, say cyber security, legal and policy experts.
For while headline-grabbing cyber attacks in the United States have become commonplace, the risks of stolen customer data in Europe may be similar, although far less seldom reported, because of a patchwork of outdated regulation.
“It is believed that many breached organizations are not currently disclosing breaches so the new directive will force the hand of organizations,” said Jeremy King, international director at payments security trade group PCI Security Standards Council.
Additional reporting by Eric Auchard in Frankfurt; Editing by David Holmes
Our Standards: The Thomson Reuters Trust Principles.