EC Looks To Impose Massive Data Breach Fines

The European Commission is to demand the power to fine companies for data breaches under new reforms

The European Commission (EC) is reportedly looking to introduce steep fines for companies that breach data protection laws as part of a proposed overhaul of privacy regulations.

The latest draft of the proposed changes would allow the EC to fine larger companies up to five percent of their global turnover, which could amount to billions of pounds for companies such as Google or Facebook, according to reports by the Financial Times and Bloomberg.

Updated Regulation

The reforms would give the EC powers comparable to those it wields in the area of competition, where it is able to fine companies up to 10 percent of their turnover for breaches. These powers have resulted in massive fines for the likes of Microsoft and Intel.

Companies would be liable for customer data sold to third parties without authorisation and data transferred to social networks or cloud-based services. The new regulations would apply to the European subsidiaries of organisations based outside the EU, forcing multinationals to strengthen their data protection policies.

In a speech in Brussels on Tuesday, EU Justice Commissioner Viviane Reding said the reforms are intended to be “an inspiration for changes in the US and elsewhere.”

She specifically singled out US plans for a self-regulation regime for companies that collect personal data, arguing that such a scheme “will not be sufficient to achieve full interoperability between the EU and US.”

The new rules would oblige companies to notify data protection authorities within 24 hours in the case of a breach affecting private data. By contrast, earlier this year RSA took two months to notify authorities of a compromise that affected its SecurID tokens.Companies with more than 250 employees would be required to employ dedicated data protection staff.

The EC is looking to introduce the first significant update to its data protection legislation since 1995, and is set to formally unveil its proposals in January. The changes will also look to alter the way social networks such as Facebook gather data about users.

The new measures will face approval by national governments, and then must be implemented in national law, meaning it is likely to be at least four years before the rules come into effect.