The European Commission, businesses and national governments have been jostling to put a figure on the benefits or costs of a revised data-protection regime in the European Union. But their estimates are so far apart that the truth may be that it is still too early to tell what impact new rules would have on the economy.

The Commission’s assessment of the proposal’s costs and benefits trumpeted net savings for business in the region of €2 billion a year. “The vote by the European Parliament…paves the way for a uniform and strong European data-protection law that will cut costs for business,” said Viviane Reding, the European commissioner for justice, fundamental rights and citizenship, after MEPs had backed the Commission initiative, albeit with substantial amendments.

The Commission says that companies would save €2.9bn by no longer having to navigate 28 different data-protection regimes, offsetting any additional compliance costs – estimated at €900 million. These figures do not include the benefits for companies from new business. The Commission predicts that creating a level playing-field across the EU and greater consumer confidence would provide a boost to the economy.

Yet the economics of the proposal are not as clear as the Commission makes out. Research conducted by the British government estimated that the data-protection proposal would cost UK firms between €80m and €320m every year. This finding is backed up by economists Laurits Christensen and Federico Etro, writing in the Intereconomics newsletter, who estimated that companies face “large” compliance costs that exceed any savings. In particular, IT costs for small and medium-sized enterprises (SMEs) could increase by between €3,000 and €7,200 per year, they claim.

Business outcry

The business sector has been very vocal in its criticism of the proposed rules. “There will be a huge compliance burden on any business that uses data, and in the 21st century that’s every business”, says Chris Padilla of IBM. Being required to create a dedicated privacy officer is one major concern for companies, including SMEs which fear they will be affected by the rules as a result of MEPs’ amendments.

Rules that would oblige companies to provide customers upon request with a portable version of all the data stored by the company are a major concern. In particular, companies fear that they will have to revamp data-management systems, company software and business practices. Companies also complain that blunt, bureaucratic rules imposed by the EU will interfere with finely-tuned internal processes. For example, the EU is considering a rule that would require companies to undertake data-protection impact assessments when conducting any operations giving rise to particular risks.

David Hoffman, Intel’s global privacy officer and director of security policy, says such rules would hamper the design and compliance process within companies that already have an internal privacy assessment procedure. “They should let privacy assessments be a dynamic dialogue between teams,” says Hoffman. Instead, “legal departments will be concerned about whether the assessments will look bad out of context”.

In addition, preparing privacy impact submissions for data-protection authorities would inevitably pull privacy specialists away from the product design process, he says.

Medtech, an association representing the medical technology industry, has also voiced concerns that data-protection rules could end up making product development more onerous for companies working on e-health, without providing appreciable benefits.

Research published by the Information Commissioner’s Officer, the UK’s data-protection body, suggests it may be too early to draw firm conclusions. It agreed with the Commission that the use of online and data-driven services could increase dramatically if new rules bolstered consumer confidence. But it cast doubt on the studies undertaken so far, finding that most companies neither knew how much they spent on data protection nor how the proposed rules would affect them. Those companies most affected by the rules are also likely to have extensive data-protection procedures and staff already in place, including someone fulfilling a role akin to the data-protection officer, the British report said.

An added complication in trying to predict the impact of revised data protection on business is that companies in different countries will be affected differently. For example, Germany’s data protection rules are stricter, and closer to the EU proposal, than the UK regime – which may explain why the British government has been such a strong opponent of the reforms.

Click Here: Cheap Chiefs Rugby Jersey 2019