Under sweeping data privacy laws finalized in Europe late Tuesday, the European Union said it will levy significant penalties on all companies that fail to protect personal data or otherwise mishandle consumers' sensitive information — and that could mean big problems on the Continent for U.S. tech giants like Google, Apple, Facebook and Twitter.
First proposed almost four years ago, the EU Data Protection Reform regulations have been agreed to by all 28 EU member states and herald wide-ranging changes in the way information must be handled and data breaches reported. Any data breach must be disclosed within 72 hours and any company found to be misusing people’s online data is subject to fines of up to 4 percent of annual revenue, which in some cases could run into hundreds of millions of dollars.
The new rules will also give consumers more control of their information, enshrine the controversial Right to Be Forgotten ruling into law and allow each member state to raise the social media age limit from 13 to 16 if they so wish.
Having passed a vote in the European Parliament last year, member states and regulators have since been thrashing out the details. The final version of the reforms will be brought back before the parliament in early 2016, but the new rules won’t become applicable for two years to give companies times to adjust.
Beyond the Financial Impact
Aside from the potential cost of fines, companies are also facing the prospect of completely revamping the way they handle customer data in Europe. That includes changing the way data is collected, stored and shared, which in turn could impact companies’ balance sheets. The financial impact of these new regulations will differ from organization to organization with factors like the company’s current level of privacy safeguards and how much privacy risk it is willing to take.
“In a worst-case scenario it is going to have a very significant impact,” Mark Thompson, privacy practice leader at KPMG, told International Business Times. “This might result in significant internal costs to align privacy practices and cause companies to completely rethink some of their key business practices. I expect the first few fines levied by regulators to be very significant.”
The fine itself may be significant, but there are other, less quantifiable repercussions. “Add to that the requirement to notify authorities of a breach, the potential resulting loss of brand image and customer confidence, and you can see why this has become a very important issue around the globe,” Nigel Hawthorn, chief European spokesman at cloud security company Skyhigh Networks, told IBT.
The presumption from commentators has been that the fines contemplated by the reforms will be based on global annual turnover of the entire company, but that is not entirely clear in the language of the reforms currently available, with one source telling IBT that the wording of the final version of the text may be changed to clarify if the percentage relates to global operations or just those carried out in Europe.
European regulators have welcomed the reforms, seeing them as a major milestone in their attempt to create a Digital Single Market.
“We should not see privacy and data protection as holding back economic activities,” Andrus Ansip, the Estonian politician heading up the commission’s push for a Digital Single Market, said in a statement. “They are, in fact, an essential competitive advantage. Today’s agreement builds a strong basis to help Europe develop innovative digital services.”
This, however, is not how major tech companies like Google, Apple, IBM and Qualcomm see the situation. “We fear that the text agreed upon between the European Commission, European Parliament and the Council of Ministers last night will undermine the ability of businesses in Europe to invest, innovate and create jobs,” a statement from lobbying group Digital Europe said.
Digital Europe has been lobbying on behalf of more than 60 technology companies from around the world including the above-mentioned U.S. giants and Chinese companies like Huawei and ZTE and South Korea's Samsung. However, with the comments period closed, there is little these companies or their lobbying group can do to change the minds of European politicians.
“I think it is a case of getting on with it. If you want to do business in Europe, if you want to offer different services — including free services — into the European market, it is going to be necessary to comply with the regulation. It is as simple as that,” London-based privacy attorney Susan Foster told IBT.
Google and Twitter declined to comment, while several other tech companies did not immediately respond to inquiries.
Facebook 'Likes' The Rules
Facebook, a company potentially at greatest risk from these new rules, has, however, welcomed the reforms.
In an emailed statement to IBT, a representative said: “Having a single set of rules to protect Europeans' personal data while creating opportunities for growth and innovation is important for people in Europe and the European economy. We welcome consistent regulations that enable all companies to comply with the same standards across Europe, under the guidance of one lead supervisory authority.”
Facebook is already facing fines in Europe after a Belgian court last month ordered the social network to pay $268,000 for each day it failed to comply with an order to alter the way tracking cookies work on its site.
The new data regulations will be seen by many outside the Continent as the latest heavy-handed approach by European regulators to have an impact on U.S. companies. Along with antitrust investigations into Microsoft and Google and a probe into Apple's tax affairs, the European Court of Justice earlier this year ruled the Safe Harbor agreement invalid, ending a 15-year agreement that allowed for the easy transfer of data between Europe and the U.S.
While the reforms have been agreed upon, there is still work to be done before the final versions of the texts are presented to the European Parliament and council in early 2016, and this may be causing some confusion. “Changes to the definition of what is and is not personal data, the need for ‘explicit’ consent for data collection and different documentation requirements all need to be interpreted, and any relevant changes made,” Richard Brown, from U.S.-based cloud security company Arbor Networks, told IBT.