Facebook: Companies would withdraw from talks with regulators if they face 2% turnover fine for data protection law breach

Out-Law News | 19 Nov 2012 | 1:13 pm | 3 min. read

Companies would withdraw their co-operation from data protection regulators and engage in lengthy court battles if regulators were given the power to fine companies 2% of global turnover for data protection law breaches, Facebook has said.

The social networking company said that European Commission's proposed sanctions regime, contained in its draft General Data Protection Regulation, could also put off businesses from trading in the EU and warned that it could harness fewer "privacy benefits" than the Commission desires.

Facebook's comments were contained in a response to a consultation by the Irish Data Protection Commissioner (DPC) on the Commission's proposed Regulation. The comments were published (40-page / 5.79MB PDF) by campaign group Europe v Facebook. The group said it had obtained the company's response document following a freedom of information request to the DPC.

"The high level of potential sanctions for breaches of the Regulation risks turning relations between companies and regulators into a combative one and may undermine the incentive of internet companies to invest In the EU," Facebook said. "Facebook is concerned that the magnitude of potential fines will create a disincentive for innovation and associated job creation among internet service companies. This could be a major blow for the European Union given that the internet sector is widely recognised as the major driver of job creation and growth in an otherwise moribund economic environment."

"Moreover, it should be borne in mind that the level of potential sanctions might create a disincentive for open engagement by companies with regulators. Facebook's interaction with the DPC and other regulators across the EU has shown that a lot can be achieved through open and transparent dialogue, even on difficult issues. Irish data protection law, at present, obliges the DPC to seek an amicable resolution to disputes. This approach, with its focus on developing solutions and implementing best practice, is particularly beneficial when grappling with the data protection challenges which flow out of technological innovation," Facebook said.

"A regime that threatens businesses with such heavy fines would imperil this cooperation and drive people away from an open relationship with DPAs [data protection authorities]. Ultimately this will not deliver privacy benefits as effectively as a less litigious model likely to be engendered by the proposed sanctions regimes. The proposed regime will likely lead to lengthy court cases, potentially at considerable cost for the state," the company added.

In January the Commission outlined plans to bring the EU's data protection framework up-to-date with the digital age. Its proposed General Data Protection Regulation would replace the existing regime which the Commission has described as fragmented and outdated.

Under the plans regulators would have the power to fine businesses up to 2% of their annual global turnover for serious breaches of the Regulation. Organisations not engaged in economic activity can be fined up to €1 million for serious breaches.

The sanctions could also be imposed on companies that fail to act in accordance with a proposed new data breach notification regime.

Under the Commission's draft organisations would be required to process and store personal data securely. Companies would be required to notify any individuals concerned and regulators with certain information about any data breach "without delay and, where feasible, not later than 24 hours after having become aware of it". The information should include recommendations over what people can do to "mitigate the possible adverse effects of the personal data breach".

However, in its DPC consultation response submitted in March, Facebook said that the provisions were "overly prescriptive" and said they may not enhance the security of personal data.

"The DPA notification requirement is an absolute requirement, which means that, in theory, even the most minor breaches must be reported to the DPA," Facebook said. "Facebook is concerned that this will not allow for effective prioritisation of the most serious breaches. The obligations also contain prescriptive requirements for the provision of information to the DPAs, which creates an additional layer of bureaucracy. Furthermore, these requirements will force DPAs to redirect resources away from privacy enforcement and towards the processing of notifications."

The social network also said that the timescale for informing individuals that there had been a breach affecting their personal data was insufficient and warned that the proposed process for notifying data subjects could be both "costly" and "cumbersome".

Among the other concerns that Facebook raised with the Commission's proposals included in relation to planned changes to rules around 'consent'. Under the Commission's draft text organisations seeking to rely on the consent of individuals in order to process their personal data fairly and lawfully would have to obtain those individuals' explicit, freely given, specific and informed consent through a statement or "clear affirmative action" in order to process their personal data.

Facebook said that the provisions could result in internet firms using "more intrusive mechanisms to ask for consent for specific activities" in a way that have an "adverse effect" on users' online experience.

"This inevitably will lead to a potential 'devaluation' of the principle, and may make it harder for users to make judgements about when it is appropriate to give consent or withhold it," Facebook added.