U.S. business groups are warning that a sweeping new data privacy deal struck Tuesday by the European Parliament will chill growth abroad.
Critics say the proposed law, which follows years of negotiations, is part of a march toward privacy at the expense of corporations operating on the far side of the Atlantic.
The new regulations are intended to update a patchwork of rules written in the 1990s to give European citizens greater control over how their personal data is used and homogenize privacy regulations across the 28-member bloc.
Although the exact language of the law hasn’t been publicly announced, businesses have had a chance to respond to a series of draft proposals, and the contents are considered mostly solidified. A confirmation vote is expected Thursday, after which it will be put to a vote by Parliament as whole in the new year.
Perhaps the most significant difference between the old rules and the replacement regulations is their scope: The new law will apply to all companies that provide goods and services in the EU, even if they do not maintain a place of business there — including free services, such as an app.
Also significant are the hefty fines allowed for companies that mishandle personal data. Under the new law, data protection authorities will be able to fine noncompliant companies up to 4 percent of the entire organization’s global revenue.
For a company such as Google, that could total billions of dollars.
Critics say the fines are disproportionate and would be based inappropriately on revenue that is unconnected to the part of the business that committed the infraction.
The new law would also put companies under the jurisdiction of the national data protection authority in the country where they keep their European headquarters.
Businesses originally supported this “one stop shop” provision of the law but have pushed back as negotiations progressed and the provision was weakened significantly to allow privacy regulators from other countries to initiate enforcement action.
The changes, some argue, make the new law no better than the status quo, in which companies face a patchwork of enforcement action from the 28 EU members.
Other changes include a likely 72-hour data breach notification policy as well as the enshrinement of the controversial “right to be forgotten,” under which citizens can request that companies such as Google and Facebook remove their private data from the Internet.
Onlookers say the law will have the biggest impact on smaller companies that will struggle to invest in privacy lawyers and other resources needed to comply.
“I think some of the requirements are going to be difficult for small companies to meet,” said Sue Foster, a privacy attorney at Mintz Levin who works in both the EU and the U.S.
A tougher stance on privacy has long been a sticking point between the U.S. and the EU, where data privacy is considered a fundamental right under the EU Charter.
Some business groups believe the European Parliament has put too much weight on protecting individual privacy, at the cost of healthy commerce.
“As the EU institutions enter the final stages of negotiations on the draft regulation, the question over whether a proper balance has been reached between supporting privacy rights and enhancing economic competitiveness still remains,” said Digital Europe, a Brussels-based trade organization whose members include Google and Microsoft.
Others see hints of protectionism in the new law, especially when viewed alongside a recent EU high court decision that has the potential to make it much more expensive for U.S. companies to handle European data.
“I think the majority of folks aren’t treating this as a protectionist issue, but there are those voices that do exist,” Schlosser said.
Others see protectionism is a byproduct of the new regulations, if not their intent.
“That might be a side effect, but I don’t think that’s the intent of the regulation at all,” Foster said. “What U.S. commentators often miss is the seriousness with which Europeans view the right to privacy.”