Multinationals face data super-power

The likes of Sony, Google and Microsoft could face a fresh threat under the EU data protection reforms after a leading Brussels mandarin called for the launch of a new super-power to come down hard on multinational companies.
Under current proposals, big firms could escape the worst excesses of the EU General Data Protection Regulation as they will only be answerable to the regulator where they have their European HQ.
Many have offices in Ireland, whose regulator – the Office of the Data Protection Commissioner (DPC) – has a tiny presence and £1.2m in funding. The UK’s Information Commissioner’s Office by comparison has a budget of £20m and income from fees of £16.5m.
Now the Belgian government’s Under-Secretary for Data Protection, Bart Tommelein, has called for the creation of an EU-wide authority, that would supercede the ICO and adjudicate on matters of data protection across the 27-member organisation.
He plans to present the proposal to an informal meeting of Ministers of Justice in the Latvian capital Riga when they next meet.
The authority would be responsible for handling investigations against global companies, something national regulators would be ill-equipped to do, according to law journal, the National Law Review.
Currently there is a huge question mark over who will handle alleged transgressions of data protection laws by multinational organisations; different national data protection authorities can take very different attitudes over the same issues. This affects not only what is investigated, but the punishments they dish out.
For instance, the UK’s ICO was the only European regulator to fine Sony over its 2011 breach, which resulted in the personal information of about 77 million PSN users worldwide being compromised.
“The current EU data protection regime only mandates the creation of independent ‘national’ data protection authorities (possibly with regional ones for federations such as Germany) and a European Supervisor for compliance within EU institutions,” according to the National Law Review.
The Regulation does mandate for a European Data Protection Board, but without the power to levy fines – although the Regulation itself will allow national authorities to fine organisations up to €100m.

1 Comment on "Multinationals face data super-power"