Companies Face Fines as Much as 2% of Sales Under EU Privacy Law

Companies face fines as high as 2 percent of yearly global sales for losing personal data under an overhaul of European Union privacy rules.

Data protection agencies in the EU’s 27 countries would gain the power to sanction companies that violate requirements for handling personal information proposed by the European Commission today. The measures, which also target online- advertising and social networking sites, update the EU’s 17- year-old data protection policies.

The EU overhaul would also clamp down on data lapses such as Sony’s six-day delay in warning customers about a cyber-attack that exposed more than 100 million customer accounts, the second-largest online data breach in U.S. history. Under the draft rules, serious violations such as processing sensitive data without an individual’s consent or without any legal justification, may be punished with penalties as high as 1 million euros ($1.3 million) or as much as 2 percent of a company’s yearly sales, the commission said. Less serious offences would be punished with smaller fines.