Sweeping reform of data protection law, approved by European Union officials last night, aims to subject companies to just one regulator.
The so-called one-stop- shop system means companies won’t have to deal with a different regulator in each country where they operate. They will only have to deal with the regulator in the country where their European headquarters is located.
The problem was highlighted in the Belgian Privacy Commission’s court case against Facebook. The social network argued it only had to answer to the regulator in Ireland where its European headquarters is based.
HeadquartersAs the majority of the world’s largest tech companies have their European headquarters in Ireland, the Irish Data Protection Commissioner will effectively have to regulate data issues for those companies’ operations throughout the EU.
Irish MEP Seán Kelly said Ireland is prepared for the changes, with a near doubling of the Data Protection Commissioner’s budget, and an increase in staff at the office from 29 to 50.
The new law, if passed, will also require companies to report privacy breaches to authorities or face heavy penalties.
Companies will have to alert national authorities of a data breach within 72 hours.
A problem with current data protection laws is that regulators can only levy fines which are small in comparison to the revenues of the companies involved.
The threat of sanctions of 4 per cent of global revenues – the figure was negotiated last night – will ensure businesses are more mindful of data protection, according to lawyers.
“It will be a deterrent which is the most important thing. If it wasn’t a deterrent, companies would just break the law, pay the fine and get on with it,” Mr Kelly said.
Data controllersJohn Higgins, director general of Digital Europe, the organisation which represents the digital technology industry in Europe, said questions still linger on topics such as the allocation of roles and responsibilities between data controllers and data processors.
“During a period of economic recovery, European citizens and businesses cannot afford regulation which unnecessarily stifles job creation, competitiveness and data-driven investment,” he added.
He said adherence to the self-imposed end of 2015 deadline for reaching an agreement must not come at any cost.
“While we understand the pressure facing negotiators to reach an agreement during yesterday’s trilogue discussions, it must not come at any price.
Fintan Lawlor is a dedicated data protection consultant and solicitor at Lawlor Partners. For more information see our website : www.lawlorpartners.ie