Safety flags: governments want the updated guidelines drawn up as quickly as possible

Things were different in 1995. Netscape was the world’s most popular browser, an online bookseller in Seattle, Amazon, had just gone live on the net and Facebook founder Mark Zuckerberg was 11. It was also the year that the EU introduced its current data protection rules.


A lot has changed since then — Netscape is no more, Amazon has revenues of $89bn and Facebook has 1.4bn users a month. The Data Protection Directive, however, still provides the backbone of the EU’s regulations.


Now, after three years of wrangling among member states, MEPs and the European Commission, we are close to the introduction of new regulations that will update data protection laws. But how will this affect companies?


1. Things will be the same across all 28 member states.

At the moment, all countries in the EU technically follow the same rules, but they interpret them differently. This has led to what some critics say is a “privacy patchwork”. The current EU rules on data protection take the form of a directive, which gives national governments significant leeway in how they are interpreted and enforced.


“All the 28 states have loopholes,” says Jan Philipp Albrecht, the MEP tasked with steering the legislation through the European parliament. “There are so many provisions that you can always find a way out.”

But the new rules on data protection will be binding in all member states and must be applied in the same way, whether in Ljubljana, Lisbon or London. Companies should expect the same treatment wherever they operate.


2. If you step out of line, expect a fine.

The new rules will have teeth. Sanctions, which are currently being debated by governments, will be much higher than the numbers normally imposed by regulators currently.

Fines of up to €100m — or 5 per cent of global revenue — are being debated. This will be a big change to the status quo in many member states, where fines are often token amounts. Britain’s data protection regulator, for instance, can bill only £500,000 for any breaches.

“This will put data protection on the same level as antitrust in terms of sanctions,” says Ian Birdsey, a privacy expert at law firm Pinsent Masons.


Before, a data protection breach was a reputational problem. But under the new rules, any missteps could swiftly qualify for a hefty financial penalty, too.


3. You may have to deal with more than one data protection agency, as well as a European one.

The original proposal had plans for a so-called “one-stop shop”. This would have meant that a data protection authority in one country would deal with complaints related to a company based there. So, Facebook users in, say, Finland, would have to complain to the Irish data protection commissioner if they felt aggrieved by the social network, which has its European head office in Dublin.


But this idea has been diluted, after some governments complained about the difficulty and expense of complaining in a foreign country, sometimes in a foreign language.

There are so many provisions that you can always find a way out


Instead, one data protection agency will take the lead — but other agencies will be able to be involved and express an opinion. Disputes will be settled by a new supranational regulator.


Florence Raynal, head of the department of European and international affairs at CNIL, France’s data protection authority, says: “Multinational companies are doing business across 28 territories. It’s about having a balanced collaboration, with of course a main contact point for the business.“


But how this will work in practice is still to be decided.


4. All businesses will have to consider data protection in all their services.

Now that everything from bank details to baby pictures exists online, regulators and consumers are far more concerned about data protection.

Companies need to be aware of this and implement privacy by design, according to William Long, a partner at Sidley Austin, a law firm. “We want to move away from notional data privacy compliance,” says Mr Long. In many cases, a data protection officer will become mandatory for some companies above a certain size, although this is still being debated.


5. But there is still some waiting to do.

There will be plenty of legislative twists and turns before companies will see the new rules. Most governments — particularly that of Germany, where data protection is a key political concern — want the regulation finalised as quickly as possible.


Before the end of the year, the text will be hammered out behind closed doors between the European Parliament, the Commission and member governments. While the text will not be ripped up and started again, significant tweaks are still likely to occur before it is due to come into force.