“Clear rules that are fit for the digital age.” That’s how Vera Jourova, the European justice commissioner, described tough new European data protection regulations just agreed by European policy makers.
The long-awaited reforms, which are expected to take effect in early 2018, will establish one set of rules on data protection across all 28 member nations in the European Union (EU).
As the New York Times reports, the new regulations would apply to any company with customers in the EU, whether or not it is based in the region.
This will expand potential liability for companies, experts note.
What key changes can businesses active in the EU market expect?
Among the policy changes the new law would require companies to inform national regulators within three days of any reported data breach.
The other proposed change that jumps off the page is one that would link sanctions (read: fines) to company revenues.
Policymakers have agreed that fines could total up to 4 percent of a company’s global revenue for the most serious breaches to European data privacy rules. This could amount to billions of dollars, according to this report by the Guardian.
While the tougher fines are seen as a major step forward for consumer protection, they have raised concerns among large tech companies such as Google and Facebook, the NYT says.
It cites Peter Church, a technology lawyer at Linklaters in London:
The new law will also expand potential liability for companies, bringing increased responsibility and accountability for those controlling and processing personal data, according to this politico.eu article.
Currently the data controller at a company is liable for data breaches in the EU, but Politico notes that once the law takes effect, both the controller and data processors will be jointly liability for any damages.