Businesses that breach the proposed new EU Data Protection Regulation (see previous article here) may face fines of up to €100 million or 5% of their annual worldwide turnover, whichever is the greater, if reforms proposed at EU level are adopted.

The fines are part of a package of reforms initially proposed by the European Commission, which also includes the following proposals:

• individuals should have a right to erasure (initially called a “right to be forgotten”), i.e. a right to have their personal data erased on request;
• the regulation should apply to non-EU businesses that operate on the European market; and
• stronger safeguards should be put in place for transfers of personal data to non-EU countries.

The position adopted by the European Parliament will be considered by the European Council when the justice ministers of EU member states meet again in December 2013 to discuss the proposed legislation. It had been hoped that all parties could reach an agreement and that the regulation could be finalised before May 2014 when the European Parliament elections are scheduled to be held but it now appears that the adoption of the regulation could be delayed until early 2015. This follows efforts by the UK government to push back the implementation date. Despite this, continued pressure from the Commission and the Parliament is expected in an effort to adopt the regulation before next spring.

Contributed by: John Magee