A proposed new data-protection law for the European Union includes fines of up to 2% of global turnover for companies that breach the rules, E.U. Justice Commissioner Viviane Reding announced Wednesday.
Despite rumors that the figure would be 5%, Reding insisted the legislative proposals had not been watered down. "Five percent was not something in my pipeline," she said at a news conference to unveil the proposals.
Fines will be on a sliding scale: 0.5% of a company's global turnover for charging a user for a data request, 1% if a firm refused to hand over data or failed to correct bad information and 2% for more serious violations.
Under the proposals, companies with more than 250 employees will have to appoint a data-protection officer to be responsible for compliance with the new rules, which include the controversial "right to be forgotten", allowing people to have data held about them deleted if there are no legitimate grounds for retaining it.
Reding insisted that "personal data belongs to the person" and that individuals have the right to take any information about them held by a company and move it to another company. They also have the right to insist that personal data be deleted, and companies must comply unless they can show legitimate grounds for retaining the data.
Reding also said that companies would have to report data security breaches "as soon as possible" -- which she said means 24 hours.
The news was welcomed by Green member of the European Parliament Jan Philipp Albrecht.
"We particularly welcome the proposals to impose conditions and time limits on the use of data from individuals who volunteer their private information. In the current online era it is easy for internet users to lose sight of private data that they volunteer online or simply forget, making it all the more important to ensure safeguards are in place. To this end, the proposals for sanctions against major online businesses that abuse private data are also welcome," Albrecht said.
However some industry representatives were less pleased.
"The Commission's proposal today errs too far in the direction of imposing prescriptive mandates for how enterprises must collect, store, and manage information. The rules should focus more on the substantive outcomes that matter most to citizens. The risk in the proposal's current design is that it will bog down companies with onerous compliance obligations, which could inhibit digital innovation at the expense of job creation and growth," said Thomas BouA(c), European director of government affairs for the Business Software Alliance.
The reform of the E.U.'s old 1995 Data Protection Directive is one of the key pieces of legislation the European Commission is pushing in 2012, but it has been dogged by more criticism than is usual for a directive reform proposal.
Wednesday's announcement, however is just the first step in a long process as the proposals must still be approved by E.U. member states and the European Parliament.