EU Considering Data Breach/Privacy Rules With Fines Of Five Percent Of A Retailer's Annual Revenue

The European Union is considering new rules that will enable it to fine retailers as much as five percent of their annual revenue—yep, you read that right—for breaching EU privacy rules. The rules would also cover the protection of payment-card data.

Reality check: It's only a proposed rule at this stage—it's slated to be introduced in January—and it's not clear how much enforcement authority it would have over Asian or North American retailers whose only connection to Europe is selling to European consumers from their home countries (as opposed to having a physical presence in Europe).

If enacted with enforcement teeth, this could be huge. Not only are the threatened amounts (at least the ceiling) orders of magnitude beyond what major U.S. chains have been threatened with by card brands and processors, but the threats are far more realistic. No one at Wal-Mart really fears that a bad data breach would mean the chain wouldn't be able to accept Visa anymore, and the fines are kept modest for the big boys given the nature of their business relationship. But the EU would have no such hesitation in leveling these fines, especially when the it gets to keep the much needed money. Think of a small-town police officer whose town is about to lay off cops due to budget cuts, unless revenue can be raised quickly. And the officer sees a speeding car with out-of-state plates. If this EU measure gets passed and you get breached, you're that speeding car with the out-of-state plates.

The original report in The Financial Times in London said this would be "the first significant update of data protection legislation since 1995." But final approval, the story said, could "take at least two years, with another two before the measures come into effect." And government approvals—especially from Germany—are not a given, meaning that the policy could be significantly weakened or killed.