Editor, Solicitors Journal

Breaches of new EU reforms will see global businesses fined millions

17 Dec 2015News

Boardroom to finally take heed of data protection regulations with new 'game changer' regime

Breaches of new EU data protection reforms mean businesses will face financial sanctions on global revenues, costing internet companies millions.

After three years of negotiations the rules have finally been agreed upon by European lawmakers, harmonising data protection rights across the EU for the first time.

The reforms consist of two instruments; the General Data Protection Regulation and Data Protection Directive.

The regulation focuses on enabling people to control their data, while cutting red tape to help businesses benefit from the Digital Single Market.

The directive aims to help the police and criminal justice sector combat crime and terrorism more effectively across Europe.

Expected to come into force early in 2016, member states will have two years to implement the reforms before they become applicable.

The new regime will give individuals more control over the use of their personal data and introduce fines of up to 4 per cent. This could result in some of the biggest internet firms, such as Facebook and Google, paying unprecedented amounts.

Kenny Mullen, Withers's head of IP and data protection, said the higher financial penalties make the new rules a 'game-changer'.

'Weak sanctions was the criticism often levelled at the old data protection regime, but that's simply not going to be true anymore,' he said.

'Anyone who does business in the EU needs to sit up and take notice of these rules, if they haven't already.'

Phil Lee, a partner at Fieldfisher, said companies will now start paying greater attention to data protection.

'Businesses that get it wrong face substantial fines, potentially up to 4 per cent of global turnover. If data protection hadn't previously reached board level before, it's about to now,' Lee commented.

'Fundamentally, the regulation is about accountability. It's about businesses not only being compliant, but being able to show they're compliant.'

Parental consent

The right to be forgotten will also be extended and the age of consent for data processing set at 16. Member states can, though, lower the age to 13 with parental consent.

The Family Online Safety Institute has, however, expressed disappointment that the proposals did not consider the millions of children who are already active users.

A statement read: 'The feasibility of suspending their accounts and banning them from the platforms will be nearly impossible to implement. Furthermore, vital protections offered to younger users of social media sites may be invalidated by causing children to lie about their true age.

'Restricting teens' use of social media in the absence of parental consent will adversely affect the use of these tools in the area of education, which has expanded and proved incredibly beneficial, both within classrooms and independently.'

Matthew Rogers is an editorial assistant at Solicitors Journal matthew.rogers@solicitorsjournal.co.uk | @sportslawmatt

Legal News desk contact: editorial@solicitorsjournal.com

Latest Articles

Can artificial intelligence be trusted for legal research? Lessons from Ayinde

James Tumbridge, a Partner at Keystone Law, looks at the decision in Ayinde, R (On the Application Of) v London Borough of Haringey [2025] EWHC 1383 (Admin) (6 June 2025) concerning the duties that lawyers owe to the court and the actual or suspected use of artificial intelligence by lawyers to generate legal documents or arguments without adequate checking of the outputs