All EU countries except Germany and Austria are unprepared for a major overhaul of the bloc’s privacy rules that will go into effect in May. The European Commission is amping up pressure on the 26 member states that are lagging behind.
Companies operating in the EU are bracing themselves for a big legal change: starting on 25 May, they will face fines of up to €20 million, or 4% of their global turnover, if they don’t respect the bloc’s strict new data protection regulation.
Most member states still haven’t adjusted their national rules to make room for the overhaul. EU Justice Chief Vera Jourova told a news conference on Wednesday (24 January) that the 26 countries lagging behind are now “in a big rush” to make sure they can comply with the law.
The Commission could slap countries that don’t meet the May deadline with a lawsuit. In several member states, draft changes to national privacy rules are expected to face Parliament votes early this year, and could be approved in time.
A handful of member states are dragging their feet. Since the EU regulation was passed in 2016, the Commission has held 13 meetings to work through details with national legal experts. One EU source said that Italian government officials skipped those meetings. Italy is one of the countries that is moving slowly; it’s expected to finalise changes to its privacy rules after the May deadline.
Other countries are already looking to bend the rules. Poland recently proposed an exemption from the law for companies with fewer than 250 employees, arguing that it would be hard and expensive for them to comply.
Jourova warned against member states that want to add loopholes to exclude government offices from following the rules.
“These are the kinds of matters which we expect the member states to solve, which will not break the unity of the rules for the EU but which will capture the specificities needed for the public sector in each member state,” she said.
Last year, Ireland proposed excluding public bodies from the hefty new fines if they are caught breaking the rules.
The EU justice chief said she worries that if member states draft their own rules and apply them differently, the new regulation “would lose its whole value and strength”.
The Commission has earmarked €3.7 million to train authorities in charge of enforcing the law in member states and to help them inform businesses about the changes.
Under the data protection regulation, companies that operate in the EU will be required to report to national authorities within 72 hours if they experience breaches that expose their users’ personal data.
National data protection authorities will be armed with expanded powers to sanction misbehaving firms.
On Wednesday, Jourova blasted ride-hailing app Uber for hiding a massive data breach for more than one year that exposed private information from approximately 57 million of its users, including names, email addresses and mobile phone numbers.
When the company admitted last November that it had covered up the security breach, national privacy watchdogs from seven EU countries—Italy, Spain, France, Germany, British and Belgium—joined together to investigate. Uber said it will cooperate with the authorities.
While the seven watchdogs are sharing information, their investigations remain separate national probes. They can separately force Uber to pay fines in each country where users were affected, but those penalties are fairly low.
But if a similar breach happens under the new data protection regulation, authorities can fine companies up to €20 million, or 4% of global turnover, whichever is higher.