Back in 2012, the European Commission proposed a comprehensive reform of the 1995 European data protection rules, aiming to “strengthen online privacy rights and boost Europe's digital economy”. In 2014 these new rules received the backing of the European Parliament. At the time, Vice-President Viviane Reding, the EU's Justice Commissioner said “we need a uniform and strong European data protection law, which will make life easier for business and strengthen the protection of our citizens”.
The new rules essentially seek to establish tighter privacy provisions for users of online services, including cloud computing products, and create a single, pan-European law for data protection amongst the 28 member states. Under the new regulations, data protection authorities could fine companies up to 2% of their global annual turnover if they do not follow their obligations. Citizens would benefit from a “right to be forgotten” and easier access to their data, and companies would be required to disclose any data breaches (within 24 hours if feasible).
Where are we now and what happens next?
On 15th June 2015, the Council of Ministers took the proposals a step closer to becoming law after it reached a “general approach”, essentially confirming the approach taken in the Commission's proposal back in 2012. However, it should be noted that previously suggested figures of potential fines of up to €100 million or 5% of global annual turnover appear to have been revised down to €1 million or 2% of global annual turnover.
The European Parliament will need to approve the final text before the new regulations can come into force and a trialogue meeting between the Council, the Commission and the Parliament has now been scheduled for 24th June 2015.
Reaction to the forthcoming changes
Large technology companies are reportedly concerned that Europe's cloud computing industry could be damaged by the new data protection rules, and fear that they could also introduce uncertainty in business to business relations. Of particular concern is a clause that would allow companies who merely process data - such as cloud storage providers - to be sued. Commenting, Liam Benham, Vice President of Government and Regulatory Affairs at IBM, warned that the new proposed regulation “risks blurring these lines of responsibility [for the processing of data], setting the stage for lengthy and costly legal disputes, which will be perplexing for consumers and businesses alike.”
However, Monique Goyens, director general of the European Consumer Organisation has welcomed the development, saying that the “new regulation is the opportunity to close gaps, ensure robust standards and stipulate that EU laws apply to all businesses operating here.”