updated on 03 December 2013
QuestionWhat will be the impact of the new proposed data protection regulation?
Data protection plays an important part in our everyday lives and is a prevalent issue for businesses and individuals alike. Whether you are browsing online, posting something on Facebook or agreeing to the terms and conditions at the bottom of a contract, your privacy and the security of your data is affected. The United Kingdom currently protects individuals through the Data Protection Act 1998 (DPA). Implementing an EU-wide Data Protection Directive (the current directive), this piece of legislation aims to provide certain rights to individuals and impose certain duties on those who collect, use and control our personal data, with the aim of safeguarding such data.
The ambit of what is defined as 'personal data' may be wider than you would first think. In fact, it includes anything by which an individual could be identified, whether directly or indirectly. For example, this includes not only your name, age and gender, but also information such as lifestyle, family or financial details. Most businesses will therefore be either processing or controlling personal data, such as that of employees or customers. A data controller is a person who determines the purposes for which and the way in which any personal data is processed, whereas a data processor simply processes the data on behalf of the data controller. This distinction is important because the DPA places obligations on the data controller, but not the data processor.
Since the implementation of the DPA, the legal and technological landscape has changed drastically. New technologies and globalisation have meant that the current directive is somewhat outdated and on 25 January 2012, the European Commission published its initial proposal for a new draft General Data Protection Regulation (the draft regulation) which would replace the existing regime and harmonise data protection across the European Union. It is important to note that regulations, unlike directives, apply directly in all member states once they pass into law without the need for implementation.
The draft regulation is very complex and also highly prescriptive. Below are some of the key differences:
The current directive applies only to those businesses that are established in the European Union or that are making use of equipment within a member state. The draft regulation extends this to businesses which offer goods or services to EU data subjects or which monitor their behaviour. Therefore, online businesses that would previously have fallen outside the scope of the directive may now be within the jurisdiction of the regulation, leading to lobbying against the draft regulation by internet-based firms such as Facebook, Yahoo! and Google.
The current directive requires consent to the processing of data to be specific, informed and given freely. The draft regulation adds the requirement that it must be “explicit”. For example, opt-in mechanisms whereby you tick a box to consent may qualify, whereas opt-out mechanisms whereby you un-tick a box to state that you do not consent may not. Several conditions are also added, such as that the consent can be withdrawn at any time and that it must be distinguishable.
The draft regulation has significantly extended and added to the existing rights of individuals set out in the directive. For example, the draft regulation has established a data subject's (ie, the individual who is the subject of the personal data) right to be forgotten. This means that a person has the right to have their personal data erased and no longer processed if certain criteria are met, including, for example, in cases where the data subject has withdrawn their consent for the processing or where the data is no longer necessary for the purposes for which it was collected or processed. The data controller is also under an obligation to inform third parties of a data subject's request to erase any links to personal data (take a moment to think what this would mean in the context of Facebook and other social media!).
Unlike the current directive, the draft regulation imposes direct obligations on the data processors - including implementing appropriate security measures - to assist data controllers with privacy impact assessments and to maintain documentation for all processing operations for which it is responsible. Data processors will therefore have to ensure that they themselves are in compliance.
The level of the fine which can be imposed for breaches of the regulation vary depending on which article has been breached. While any breach must be intentional or negligent, the maximum fine available is up to €1 million or, in the case of an enterprise, up to 2% of its annual worldwide turnover. If you think of the annual worldwide turnover of companies such as Google or Facebook, you will quickly appreciate the potential scale of such fines.
The potential financial impact of the draft regulation is still uncertain, although the European Commission has estimated that the harmonisation of the data protection regime across Europe is expected to save businesses up to € 2.3 billion per year. That being said, there will also be substantial cost implications for businesses which will have to review their existing policies, but also get to grips with new obligations and processes. The Ministry of Justice estimated that the new regime will cost UK business between £80 million and £320 million a year; however, this figure should be viewed with caution, as 87% of businesses indicated that they were not able to provide an estimate for future spending on data protection. Companies which derive the most benefit from holding personal data or which perceive they would risk considerable damage due to security related breaches are likely to incur the highest costs.
It is important to note that this legislative reform is not happening in a vacuum. The recent revelations concerning PRISM, for example, are directly affecting the discussions on the contents of the legislation. The Civil Liberties Committee MEPs recently proposed that the legislation should contain stronger safeguards in relation to data transfers to non-EU countries and include plans to increase the available fines to €100 million or up to 5% of the annual worldwide turnover. According to their proposals, if the United States wanted to obtain personal data processed by Yahoo! or Facebook in the European Union, Yahoo! or Facebook would first have to seek authorisation from the national data protection authority before transferring any such data to the United States, and would also be required to inform the person that such a request has been made.
Therefore, the impact of the proposed new regulation is vast and varied. Businesses will be faced with substantial new obligations and costs, and will have to start thinking about any changes that will need to be made to internal processes and policies to comply with the new regulation. The regulation may also affect those who have previously fallen outside of the scope of the current regime, such as data processors and online businesses.
Before the draft regulation comes into effect, it has to be considered and approved by the European Commission, the European Parliament and the Council of Ministers. Such approval must realistically be dealt with before May 2014 (when the European Parliament and Commission elections take place) to avoid any serious delays to the current timetable, which envisages the regulation becoming applicable to member states in 2016.
Janine Kessel is a fourth-seat trainee in the technology department at CMS Cameron McKenna.