EU privacy laws too harsh for start-ups to survive – SAP

18 Jan 2017


The EU is at a pivotal point in history for numerous reasons, but its data privacy problem is one of its most telling concerns. SAP isn’t happy with attempts to legislate, either.

In what was billed as the most important change to data protection law in Europe for 20 years, the EU’s General Data Protection Regulation (GDPR) emerged into view in December.

Passed by the European Parliament’s Civil Liberties, Justice and Home Affairs Committee before Christmas, it set out strict punishments for companies operating in the EU which flout privacy laws.

SAP, the German software giant, has concerns of the restrictions this could place on start-ups throughout the Union.

Bernd Leukert, head of products and innovation at SAP, told the Financial Times that the penalties were too high, “especially for just a single violation”.

According to GDPR, companies in the EU can be fined up to 4pc of global revenues or a maximum of €20m (whichever is bigger) for significant breaches of data privacy.

“If you have 25 violations, your entire revenue is gone,” he said, adding that this would act as a drag on European start-ups.

The GDPR will apply to the processing of personal data by businesses and organisations that are operating in the EU, regardless of whether the processing takes place in the EU.

“The more bureaucracy, the more complexity you have in your business segment, the harder it is to grow fast, and speed is what matters these days,” said Leukert.

Interestingly, Leukert also highlighted the risk of divergent paths between the US and EU, claiming that an international approach is needed. Why that approach should follow the US example, rather than the EU way, is not clear.

Meanwhile, the EU’s desire to finally sort out Privacy Shield (an agreement on data rules between it and the US) will see EU Justice Commissioner Věra Jourová head for the US to meet with the impending Trump administration.

Jourová wants to ensure the US government maintains a “culture of privacy” – despite years of evidence to the contrary – under the new administration.

Privacy Shield, a replacement for Safe Harbour (which was widely undermined by US activities and uncovered via Edward Snowden), is her plan for just that. It’s something the outgoing US administration is wary of losing grip on, despite not agreeing on it entirely just yet.

The outgoing US Ambassador to the EU, Anthony Gardner, recently spoke of his concerns ahead of Donald Trump’s inauguration. He claimed Privacy Shield was an achievement and that greater ties between the EU and the US are a must.

“Never before will the weight of history be so heavy on the shoulders of Europe to carry the flame of democracy, human rights and the values that have guided the transatlantic partnership for decades,” he said.

“And that weight of history is not only the shoulders of Germany but also on all European countries and on the shoulders of the EU institutions.”

While the EU-US Privacy Shield is not quite a done deal just yet, the Switzerland-US one is. The framework defines standards for handling personal data exported from Switzerland to the US and enables US companies to meet Swiss legal requirements to protect personal data transferred from Switzerland.

This is similar to the EU version, but with one or two differences. Most notably, what it terms as “sensitive information”. Under the Swiss deal, this means any “information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings”.

Gordon Hunt was a journalist with Silicon Republic