Home Law in IT The new EU law on personal data raises as many questions as the Russian law

The new EU law on personal data raises as many questions as the Russian law

by admin

Today, on December 15, EU regulators are expected to adopt a new law on personal data protection. The law has been under discussion in the EU for four years. It will replace the current system of 28 separate European laws. Regulators say the new law will toughen rules to protect Internet users and cut costly red tape for companies.
In the course of preparing the bill, IT companies got several of the most controversial provisions of the law softened. They relate to mandatory user consent for data use, as well as warnings about electronic surveillance by government agencies.
However, some companies (cloud computing, online advertising sales and other online businesses), fear that the passage of the law will increase the risks and costs for them when operating in Europe.
"Companies may decide that it’s too risky to innovate in the European market, " explains Alexander Whalen, policy director of the Digital Europe Association (which includes dozens of companies, including Microsoft and Google).
EU officials continue to discuss how to impose fines on violators of the new rules.
The original proposal was to set the maximum fine at 2% of the offending company’s worldwide revenue. Parliament insisted on raising the fine to 5% of revenues. Individual governments initially approved the commission’s version, but then agreed to raise the amount to 4%. That option is expected to pass, write "Vedomosti.
"If a violation is found only in a small European division of a multinational company, the entire company, in its entirety, will be penalized. It would be fairer to impose a fine in proportion to the size of the company’s local business and the scale of the damage caused, " argues Rene Summer, Ericsson’s director of government and business relations.
Disagreements also remain on other points of the law, including provisions for companies to obtain user consent for data use, as well as the allocation of liability for breaches. Liability is now expected to fall not only on the companies collecting and using the data, but also on the data centers and cloud storage facilities with which those companies work.
Once the new rules are adopted, companies will have two years to bring their businesses into compliance.
September 1 entered into force updated law on personal data in Russia. The changes also dealt with security issues. However, apparently in our country, security is interpreted more as protection of domestic users from foreign companies. Foreign companies working in Russia and with Russian citizens were obliged to transfer servers with personal data to the territory of our country.
At the same time, the law allows processing of personal data abroad in cases where companies’ activities are regulated by international treaties, Alexander Zharov said yesterday. Thus, visa centers, air carriers and mass media are excluded from the law.
Roskomnadzor on behalf of the General Prosecutor’s Office may begin inspecting companies if they receive relevant appeals from citizens who believe that the services are processing user data in violation of the law.
According to the head of Roskomnadzor Alexander Zharov, the inspection will take place as follows : "The [Roskomnadzor] inspector comes to a company that works with personal data and says: ‘Please provide documents that confirm that the server facilities where this data is stored are in the Russian Federation. The company answers: "Please. In 99.9% of cases this is the end of the audit.
If a violation is found, Roskomnadzor is obliged to take the case to court to determine the amount of damage caused to Russian citizens. There are two types of punishment for violating companies: fines and website blocking.
The new wording of the Russian law caused not just criticism, but claims that it is unenforceable : "For example, in the case of distributed storage systems, when the information is not physically localized on one server, but is distributed all over the world. That is, even having a company’s servers in a country does not guarantee that anything meaningful is stored on its territory at all." wrote Megabrain user.

You may also like