Poor implementation of EU data protection legislation by the accession countries has created a potential minefield for pan-European businesses, a report by magic circle firm Linklaters claimed last week.

The combination of badly drafted legislation and heavy criminal penalties is likely to force businesses to locate key processing hubs outside the EU altogether, the report found.


Some countries have implemented legislation that will apply even to companies not established in that jurisdiction, the report revealed, while seven out of ten of the new member states have imposed strict jail terms for breaches of data protection law.


Companies collecting personal data from Hungary over the Internet will be subject to Hungarian data protection legislation, while data relating to Slovenian nationals will be protected by Slovenian law regardless of how or where the information was collected, according to the report. Legislation implemented by Malta, Latvia, and Slovenia is at odds with the free trade objective of the EU directives on data protection and e-privacy, the report suggested, because it imposes tough administrative burdens on the transfer of data to other European countries.


Linklaters' head of IT and communications Christopher Millard said: 'The divergences of implementation mean greater costs for pan-European businesses and greater frustration in achieving compliance ... Some businesses may conclude it is impossible to reconcile their standardised business processes with the inconsistent national data protection regimes within the EU. As a consequence, they may decide to locate key processing hubs elsewhere.


'Others may be tempted to ignore specific rules that appear to be inconsistent with the directives. This, however, would be a high-risk strategy given the harsh criminal penalties that characterise many of the new laws in the accession countries.'