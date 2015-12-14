By Julia Fioretti
| BRUSSELS
BRUSSELS Dec 14 A sweeping reform of fragmented
laws governing the uses of personal data set to be agreed by the
European Union on Tuesday will force companies to report privacy
breaches to authorities or face stiff sanctions.
EU governments and members of the European Parliament are
expected to agree the new data protection law, which would
replace a patchwork of 28 different laws and give regulators
greater enforcement powers.
A problem with current laws, which date back to the 1990s,
is that regulators can only levy fines which are puny in
comparison to the revenues of the companies involved. Some
privacy watchdogs do not even have that power.
The threat of sanctions of 4 or 5 percent of global
revenues, depending on the outcome of Tuesday's negotiations,
should make businesses more mindful of data protection, lawyers
and privacy activists say.
However the new law aims to make doing business across the
EU easier by subjecting companies to just one regulator, in
whatever country they have their European headquarters.
The so-called one-stop-shop system seeks to prevent
companies from having to deal with a different regulator in each
country where they operate, a particular headache for the likes
of Google and Facebook.
The problem has been highlighted by Facebook's spat with the
Belgian Privacy Commission, which sued the company even though
Facebook argues it should only be regulated by the authority in
Ireland, where it has its European headquarters.
The law will bring in strict requirements that national
authorities be alerted within 72 hours of when data breaches
occur, an issue highlighted by leaks of customer information at
British telecom operator TalkTalk over the past year.
Companies will also have to inform their customers of data
breaches as soon as possible.
The lack of reported big data breaches in Europe has bred
widescale disregard for the everyday threats facing consumers
and businesses, say cybersecurity, legal and policy experts.
For while headline-grabbing cyber attacks in the United
States have become commonplace, the risks of stolen customer
data in Europe may be similar, although far less seldom
reported, because of a patchwork of outdated regulation.
"It is believed that many breached organisations are not
currently disclosing breaches so the new directive will force
the hand of organisations," said Jeremy King, international
director at payments security trade group PCI Security Standards
Council.
