Consumers' right to be forgotten also came under fire from industry. "Introduction of the so-called "right to be forgotten" goes beyond a justifiable desire to enhance individuals' ability to erase their personal data on the Internet and creates a right that will be difficult to implement and that may have a chilling effect on the use of the Internet in the E.U. The new rules for allocating responsibility between data controllers and data processors will place a heavy burden on many E.U. companies to revise their contracts with non-EU service providers, a process over which they may have little control," said Wim Nauwelaerts, partner in the privacy and data security practice at Brussels law firm Hunton & Williams.
"In a further difficulty, the new regulations also require 'data portability' which means businesses risk having to transfer valuable data to their competitors if requested to do so by the individuals themselves," added Mark Owen, partner at London media law firm Harbottle & Lewis. "All this may well make it much more difficult for companies to use behavioral advertising techniques and will also place an administrative burden on insurance companies and suppliers of credit who routinely rely on statistical profiling. "
The Commission claims that the new measures will save European businesses money by unifying the bloc's 27 different national data privacy laws. "Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors -- a requirement that has led to unnecessary paperwork and costs businesses €130 million per year -- the Regulation provides for increased responsibility and accountability for those processing personal data," said the Commission.
However many companies will have to perform privacy impact assessments at a cost of around €14,000 (US$18,163). Companies with more than 250 people will also have to appoint a data protection officer.
"A big question is whether the business community will be willing or able to police itself. If it can't, businesses could find themselves exposed to regular reviews by official regulatory bodies. The definition of a 'breach' will also have to be made clear. Will it depend on the number of records or documents exposed, for example, or on the type of information leaked? Organizations should prepare for both of these options," said Christian Toon, head of information security for Iron Mountain Europe.
The incentive for companies to prepare for the new laws are increased fines based on global revenues -- up to 2 percent of worldwide revenues for the most serious infractions. Commission experts said however that the fines would be proportional to the seriousness of the offense and that smaller businesses would not be fined for a first infraction.
Sign up for CIO Asia eNewsletters.