Both sides bash proposed EU data protection laws

The European data protection supervisor says the proposed laws are too weak, but businesses say they are too harsh

Proposed European laws on data protection have come under fire from both sides this week.

The reform of the 1995 Data Protection Directive is one of biggest shake-ups of data protection laws in the European Union in nearly 20 years, affecting Google, Facebook and Microsoft as well as thousands of midsized companies.

Alongside a revised directive, a new regulation will impose laws directly on E.U. member states. The laws aim to increase protection for personal data and harmonize rules across the E.U. But on Wednesday European Data Protection Supervisor Peter Hustinx said the directive is "unacceptably weak," while the British business community has complained that it is too onerous.

Hustinx warned that the regulation may grant excessive powers to the European Commission, but saved his real ire for the directive. "In many instances there is no justification whatsoever for departing from the rules provided in the proposed regulation," he said. He also complained about a lack of legal certainty about the further use of personal data by law enforcement authorities and the weak conditions for transfers to third countries.

British businesses, meanwhile, objected to the requirement to disclose data security breaches without delay normally "within 24 hours" with penalties of up to 2 percent of global turnover for companies that break the law. This new rule is widely seen as a reaction to the Sony PlayStation breach last April when Sony took more than a week to inform its 77 million customers that their data may have been at risk.

The U.S. Department of Commerce has also been critical, saying that 24 hours is "simply too short" and could lead to "massive fines" for companies and to confusing "false alarms" for consumers.

"Given the cost and complexity of assessing data breaches, 24 hours is just not enough time for many businesses. In some cases it takes many days to work out what data has been put at risk and by whom," said Kathryn Wynn, senior associate at technology law firm Pinsent Masons. "British companies are extremely concerned about this."

However, the laws are still in the early stages of a process that could last up to two years. Proposals must still be approved by European Union member states and the European Parliament. The regulation will be enforceable in all member states two years after it has been adopted. Countries will also have a period of two years to transpose the directive into national law.

Follow Jennifer on Twitter at @BrusselsGeek or email tips and comments to

Copyright © 2012 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon