Companies face fines as high as 2 percent of yearly global sales for losing personal data under an overhaul of European Union privacy rules.
Data protection agencies in the EU’s 27 countries would gain the power to sanction companies that violate requirements for handling personal information proposed by the European Commission today. The measures, which also target online- advertising and social networking sites, update the EU’s 17-year-old data protection policies.
The EU overhaul would also clamp down on data lapses such as Sony Corp.’s six-day delay in warning customers about a cyber attack that exposed more than 100 million customer accounts, the second-largest online data breach in U.S. history. Industry groups with members including Microsoft Corp. and Google Inc. have warned against overly strict data-privacy rules that may stifle innovation.
“The protection of personal data is a fundamental right for all Europeans,” said EU Justice Commissioner Viviane Reding in a statement today. “My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information.”
Under the draft rules, serious violations such as processing sensitive data without an individual’s consent or without any legal justification, may be punished with penalties as high as 1 million euros ($1.3 million) or as much as 2 percent of a company’s yearly sales, the commission said. Less serious offences would be punished with smaller fines.