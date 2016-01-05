(Corrects DEC 21 story to read Sidley Austin, paragraph 18)
* EU aims for more consistent privacy laws
* New measures leave room for duplication between regulators
* Critics also say measures risk adding to bureaucracy
BRUSSELS, Dec 21 Implementing the biggest
shake-up to Europe's fragmented data protection laws in two
decades may fail to provide companies with the consistency and
simplicity that had been promised across the 28-nation bloc.
A patchwork of privacy laws in the European Union, dating
back to 1995 when the internet was in its infancy, was
criticised for lacking teeth and being interpreted differently
across the EU.
To tackle those failings, the EU last week agreed a sweeping
overhaul of data protection rules which would introduce a single
rule book, fines of up to 4 percent of a company's global
turnover and simpler system of enforcement.
"A step change in sanctions will make privacy a board level
issue," said Tanguy Van Overstraeten, a lawyer at Linklaters.
"Some businesses will need to start taking these issues a lot
more seriously."
Privacy has long been a particularly sensitive issue in
Europe, where intrusive government surveillance during and after
World War Two has made its protection a fundamental right on a
par with guaranteeing the freedom of speech.
The exponential growth in data -- from people's credit card
habits, social media postings and wearable fitness devices
tracking their sleep and movements -- have fuelled concerns that
individuals do not have enough control over such information.
The new rules should be a boon for web companies such as
Google, Facebook and Amazon which do
business across Europe and who currently have to deal with a
series of national regulators.
EU Justice Commissioner Vera Jourova said on Monday that a
single data protection law would save businesses around 2.3
billion euros ($2.5 billion) a year.
However, critics of the new measures question whether
regulators will be able to cope with an increased workload and
whether the regulatory overlap has genuinely been removed.
"We are concerned that investors will be scared off from
investing in Europe and will look outside the continent to
finance the next big thing in technology," said the Industry
Coalition for Data Protection, whose members include Google,
Facebook, Amazon and IBM.
NATIONAL CONCERNS
The rules are tougher in some obvious ways.
Not all privacy regulators currently have the power to levy
fines. When they do, the amounts are often paltry compared to
the billions of dollars of revenues of the businesses involved.
One of the most significant changes that companies were
looking forward to was the "one-stop-shop".
Under the new law, which will come into force in two years,
companies operating across the EU should only have to deal with
the regulator in the country where they have their European
headquarters.
But it was watered down by member states who were eager to
protect the power of their national regulators to investigate
U.S. tech companies -- which hold swathes of Europeans' data --
and ensure citizens could still complain to their local
authority about a company located elsewhere.
That means any "concerned" authority will have the power to
object to the decision made by the "lead" authority -- the one
where the company has its EU headquarters.
Lawyers say that the definition of a concerned authority is
too broad and for some companies it will not be clear where
their main European base is.
"There is concern that the trigger for other data protection
authorities to get involved is too low," said William Long,
Partner at law firm Sidley Austin LLP.
But consumer groups say ensuring that citizens can still
complain to their local regulator is important for protecting
their privacy.
"If that proximity to the citizen is assured in a way that
I, as a consumer, can easily complain to my national supervisory
authority...that is a victory for citizens," said David Martin,
senior legal officer at BEUC, the European Consumer
Organisation.
Lawyers also point out it that the new EU rules leave many
issues to the discretion of individual countries and there is
still a risk that regulators could interpret them differently.
"It would be bad if an Italian company were sanctioned more
than a French one for the same thing," Jourova said in an
interview.
If there is disagreement between regulators the case will be
referred to a European Data Protection Board (EDPB), yet to be
created, to take binding decisions.
"The mechanism laid down in the data protection regulation
establishes a hyper bureaucratic procedure that will lead to
more complexity and longer procedures of law enforcement," said
Johannes Caspar, head of Hamburg's data protection authority in
Germany, which has jurisdiction over companies including Google
and Facebook.
