EurActiv.com

EU news and policy debates across languages

04/12/2016

EU privacy reform: Who pays when the rules are broken?

Justice & Home Affairs

EU privacy reform: Who pays when the rules are broken?

Pro-privacy protestor, Berlin.

[Markus Winkler/Flickr]

New European Union data protection rules expected to be agreed on Monday will allow citizens to sue companies that own data as well as those that process it on their behalf, for example cloud computing providers.

New European Union data protection rules expected to be agreed on Monday (15 June) will allow citizens to sue companies that own data as well as those that process it on their behalf, for example cloud computing providers.

The new system is opposed by companies such as Germany’s SAP, IBM, Cisco and Amazon, who say it will kill off Europe’s cloud computing industry, as well as introduce uncertainty in business to business relations.

EU officials say the issue has been the subject of fierce lobbying from companies, who warn it could hamper the creation of a unified market in digital services, a key plank of the European Commission’s agenda to boost economic growth in the 28-nation EU.

Under the current, 20-year-old system, cloud providers – companies offering remote storing and processing of data on servers – would classify as “processors” since they do not collect the data themselves. That means they are not held liable for using the data illegally unless they breach the contract with the company for whom they are processing – the data “controller.”

>>Read: Buttarelli: No compromise on data protection reform

EU ministers will seek to reach an agreement on the data protection reform at a meeting in Luxembourg on Monday, after which final negotiations with the European Parliament will start.

“One key issue is who pays if rules (are) broken,” said an EU diplomat.

Companies argue that the current system works well and makes it easier for consumers by giving them a single point of contact. For example, if a bank breaks data protection laws, it would make more sense for the person affected to sue the bank, rather than the companies to which it outsources its human resources functions.

“It is important that consumers and businesses understand who ultimately is responsible for processing their data,” said Liam Benham, Vice President of Government and Regulatory Affairs at IBM. “Now the EU’s draft Data Protection Regulation risks blurring these lines of responsibility, setting the stage for lengthy and costly legal disputes, which will be perplexing for consumers and businesses alike.”

Part of the reason for spreading responsibility across several players is that data is often collected by one company, stored by another and processed by a third.

>>Read: Germany toughens up on data retention

Additionally, many cloud providers are large companies such as SAP, Cisco and Amazon. The Commission feared cloud companies would be able to impose unfair terms on small businesses who would then bear the brunt of the responsibility if something went wrong.

“If an SME finds it hard to find a processor that doesn’t want to comply with European contract terms, there is plenty of choice,” said Rene Summer, spokesman for the Coalition of European Organisations on Data Protection, which includes SAP, Nokia Oyj and Ericsson.

(EurActiv.com with Reuters)