Skip to main content
close search
site logo
Deep Dive

What will the new EU privacy law mean for U.S. businesses?

Published Dec. 18, 2015
By
Contributing Editor
By www.elbpresse.de (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia Commons

This week, after nearly four years of debate, European Union officials finally reached agreement on a new EU-wide digital privacy law. The law, which must still be approved by the EU Parliament in January, creates a strict new legal framework for how companies can use individuals’ personal information.

Stuart Buglass, vice president of Consulting at Radius Worldwide, who has 15 years’ experience advising high tech multinationals on overseas data protection/privacy regulations and compliance, says there are both positives and negatives to the new law from a business perspective.

“Most of the provisions of the GDPR simply refresh what is already included in the existing directive, so for those data controllers that are already compliant the step-up required by the GDPR should not demand too many upgrades,” says Buglass. “Having said that, it remains to be seen what benchmark will be required to comply with the privacy by design, the right to be forgotten, the consent requirements and data breach notification provisions…all of which will have even greater significance given the large penalties that could follow a breach.”

Among the positives is the fact that companies will now have just one set of rules to follow. The new law will replace a patchwork of 28 different sets of national privacy laws. Having one set of data privacy rules operating across all member states is a big improvement, said Buglass, but enforcement will still be a matter for local courts and their interpretation of the laws.

“It remains to be seen how consistency can be maintained between Member States,” says Buglass. “Nor will there be a single data protection authority – each country will continue to have its own regulatory authority.”

Fines could be substantial 

On the negative side, the new law requires that consent from individuals must be explicit and must be given each time the processing or use of the data is expanded or changed.

That “could have ramifications for businesses that apply ever-changing analytics as part of the march for Big Data,” says Burglass. “In many cases the current practice of getting a single consent box ticked at the point of initial collection will not be enough.”

The new law will also boost the bloc’s previously small privacy penalties to potentially billions of euros. Determining fines was one of the major sticking points in reaching an agreement on the new law. The EU Parliament wanted a 5% fine and the Council wanted a 2% fine. On Tuesday, a compromise was reached. The final ruling was that a breach could result in a fine up to 4% of a company’s global gross revenue, which could be a very big sum for a large company.

“This will raise major concerns in the boardrooms of all large multi nationals including U.S. social media giants such as Facebook and Google who have a long history of run-ins with the European courts on data privacy infringements,” says Buglass.

Extraterritorial reach

Buglass says one provision of the new law that may have great impact on businesses but is likely to attract less attention than the large penalties is the extraterritorial reach of the law, which will apply to all companies that collect data on EU data subjects, and does not require the Data Controller to be ‘established’ in the EU.        

All Data Controllers that utilize EU citizen data will have a duty to document their data processes including categorizing data types, ensuring there is an audit trail that records the recipients of data, ensuring that time limits are applied to data retention, and providing better data access to individuals.

A processor has liabilities, too

Under the current Directive only Data Controllers are liable for privacy breaches. Third party data processors operating on behalf of the data controller do not have liability for breaches. But under the new law individuals will be able to sue data processors for damages. The law also specifically includes storage as an act of data processing and as a result there can be no argument that storage in the cloud is inside or outside of the law.  

The bottom line

Buglass says the biggest impact of the new law will likely be to organizations that are currently free from EU data protection laws – namely data processors and those data controllers that are not deemed to be established in the EU – both of which will find themselves liable for breaches of any EU data they have in their control.

One last bit of good news: If the final draft gets approved by the EU Parliament in January, it will be two years before it will become law – giving businesses plenty of time for further discussion and time to put action plans in place.

 

Filed Under: Security, Big Data

Editors' picks

Company Announcements

View all | Post a press release
Unanet Acquires GovPro AI to Enable Customers to Win More Business
From Unanet
November 22, 2024
Newgen and Fadata Join Forces to Optimize Insurance Content Management
From Newgen Software
November 13, 2024
Viz.ai Wins Prestigious Prix Galien USA Award for Best Digital Health Solution
From Viz.ai
November 12, 2024
Legion Technologies Partners with Vail Resorts to Expand Workforce Management Across 37 Resort…
From Legion Technologies
November 19, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell