The cost of implementing the proposed amendments to the data protection regime in the EU will far outweigh the benefits, an impact assessment led by the UK’s Ministry of Justice has concluded.
The European Commission has predicted that the new rules, announced in January and currently working their way through the European Parliament, will save the EU economy €2.3 billion, by harmonising laws among member states therefore reducing legal costs for multi-nationals.
However, the Ministry of Justice’s assessment concludes that the EU has overestimated the benefits and underestimated the costs.
For one thing, it argues, the Commission has overstated the number of businesses that will benefit from harmonised legislation.
"The EU Commission estimate of savings from reducing legal fragmentation […] is based on the assumption that just over 900,000 businesses face compliance costs of €1,000 p.a (£800) for every additional Member State in which they are established," it explains. "[However] there are only 42,000 large businesses in the EU and evidence from the Federation of Small Business suggests that smaller businesses are less likely to face costs from legal fragmentation."
The Commission has also underestimated the cost of a proposed data breach notification law, it argues. "The EU Commission estimates that only 1,000 additional data breaches will be notified to supervisory authorities; giving an administrative cost of €20 million (£16 million)," the document reads. "However, survey evidence suggests that 45% of large UK companies and 11% of small companies have at least one breach per year. For the UK alone, reporting breaches is estimated to cost £30-£130 million p.a. in 2012/13 earnings terms.
And it has underestimated the impact of removing the £10 fee for subject access requests, the Ministry of Justice says. "The cost of dealing with additional subject access requests that will arise from the removal of the fee is also excluded."
In all, the Ministry predicts that the new rules would deliver a £150 million benefit to the UK economy in 2016-17, when they are due to be introduced, and cost £370 million. The net impact will therefore be a £220 million loss. This will gradually decrease in relative terms to around £200 each year by 2022.
"The UK government is seriously concerned about the potential economic impact of the proposed data protection regulation," said justice minister Helen Grant in a written statement. "At a time when the Eurozone appears to be slipping back into recession, reducing the regulatory burden to secure growth must be the priority for all Member States. It is difficult therefore to justify the extra red-tape and tick box compliance that the proposal represents.
"The UK government will continue to push for a lasting data protection framework that is proportionate, and that minimises the burdens on businesses and other organisations, whilst giving individuals real protection in how their personal data is processed."