EC Data Protection Regulation Proposal Costs Outweigh Benefits, U.K. Government Reports

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

LONDON--The European Commission's proposed data protection regulation would impose more burdens on organizations than benefits, according to a U.K. Ministry of Justice (MOJ) impact assessment released Nov. 22.

In its assessment, the MOJ dismissed claims by the European Commission that a more harmonized data protection regime in the European Union could bring financial benefits totaling €2.3 billion ($3.6 billion) to the bloc each year.

The EC failed “to address the full costs and unintended consequences of its own proposals, by only considering administrative costs” the Parliamentary Under-Secretary of State (MOJ) Helen Grant said in a Nov. 22 statement announcing the release of the impact assessment.

The EC's cost-saving projection, which it released in January alongside its proposed data protection regulation (11 PVLR 179, 1/30/12), fails to include policy and compliance costs as well as underestimates administrative costs, particularly to small businesses, Grant said.

“At a time when the Eurozone appears to be slipping back into recession … it is difficult therefore to justify the extra red-tape and tick box compliance that the proposal represents,” Grant concluded.

Overestimated Benefits, New Compliance Costs.

According to the Impact Assessment, the Commission overestimated the savings that less legal fragmentation could bring to EU organizations because it based its estimates on the assumption that some 900,000 large organizations would face compliance costs of only €1,000 ($1,602) a year for every additional Member State in which they are established.

However, the MOJ said that the real number of such businesses standing to make substantial savings from greater harmonization would in fact be far smaller at about 42,000.

At the same time, the MOJ said the EC failed to quantify costs arising from having to comply with proposed new requirements, including: appointing data protection officers; carrying out data protection impact assessments; notifying data protection authorities and individuals of data breaches; providing data subjects access to their information free of charge; and demonstrating compliance.

The MOJ estimated the total cost of paying for new requirements under the EC proposed regulation in the United Kingdom would be £320 million ($512.8 million) in a twelve month period covering 2016-17, the expected time line for final implementation of the new regulation. Meanwhile, the total benefits for the same organizations over the same period would be £200 million ($320.5 million), the MOJ said.

Breach Notice Costs Underestimated.

The MOJ also rejected EC estimates that under the regulation, some 1,000 additional data breaches would be notified to supervisory authorities, for a total new administrative cost of only €20 million ($25.8 million) a year.

The assessment said that in the United Kingdom, 45 percent of large businesses and 11 percent of small firms report at least one breach per year, and that if required to provide breach notice under the regulation their estimated yearly costs would be between £30 million ($48 million) and £130 million ($208.3 million).

In addition, the MOJ dismissed EC claims that new regulation will increase cross-border trade as the higher costs to data controllers of the proposed regulation will weaken the competitiveness of U.K. businesses, it said.

By Ali Qassim  

The U.K. Ministry of Justice's “Impact Assessment: Proposal for an EU Data Protection Regulation” is available at

Request Bloomberg Law: Privacy & Data Security