The data dilemma
Why is EU data protection law back in the spotlight?
The European Union recently published detailed plans for a major overhaul of the way personal data is protected, with potentially significant implications for all organisations which hold personal information about individuals in the European Union.
In 1995 the European Union passed the Data Protection Directive to harmonise data protection laws across member states. At the time, there were just 16 million internet users in the whole world. Today there are around 2.3 billion users, and there has been a corresponding increase in the amount of personal data we share online.
As a result, personal data has become a valuable asset to be exploited, as demonstrated by the success of data-rich companies such as Google and Facebook, which are able to generate massive revenues without charging end users for their services. The European Union has decided that its data protection laws should be updated to keep pace with the changing personal data landscape. On 25 January 2012 it published a draft regulation on data protection, which sets out its proposals for how the new framework should look.
However, the changes will not only affect giants like Google and Facebook. All organisations hold personal information about individuals, whether the individuals are employees or customers, and so these changes are relevant to everyone. The following is a summary of some of the main changes and the potential commercial implications.
Data protection authorities
Currently, organisations which hold and/or process personal information about individuals are supervised on a country-by-country basis by the data protection authorities in each member state in which they operate. Under the new framework, all of an organisation's EU-based activities will be supervised by the regulator of a single member state, depending on where that organisation's EU HQ is located or where its main activities take place in the European Union.
This is intended to create a more streamlined regulatory process and make compliance much less complex. At the same time, regulators will enjoy enhanced powers alongside their increased duties. Fines for certain kinds of breaches could be as high as 2% of worldwide turnover, which could make failure to comply a very expensive business.
New rights for individuals
The draft regulation creates new rights for individuals, including the right to be forgotten, the right to have electronic personal data transferred from one service provider to another, and the right not to have personal data 'profiled' (ie, automatically collected and analysed for commercial purposes). The right to be forgotten is particularly controversial, as finding and deleting all data belonging to a person may prove to be a very expensive and difficult task.
The draft regulation provides new definitions for the roles of data controllers and data processors. Data processors (ie, organisations which handle or process personal data on behalf of other organisations) will, for the first time, be directly liable for non-compliance.
Under the new rules, organisations with over 250 employees will be required to have a designated data protection officer to ensure compliance, and will be required to inform data protection authorities and individuals quickly in the event of a data security breach. There is also more detailed guidance on how organisations can transfer data outside of the European Union without falling foul of the rules.
It is hoped that these changes will assist organisations by providing a structured framework for ensuring internal compliance with data protection rules. However, some organisations are concerned that, at least in the short term, it will be difficult to meet these new requirements without significant expenditure and disruption.
Although the draft regulation has put data protection firmly in the spotlight, there is still some way to go before the changes described above come into force. The regulation may be enacted this year, but it will probably be at least two years before it is implemented. In the meantime, organisations are likely to be involved in a period of lobbying in order to smooth out areas of particular concern, and some of the changes set out above may not survive through to implementation.
However, the draft regulation has provided useful insight into how EU data protection law may look in the near future, and organisations based or intending to operate in the European Union will be keen to prepare themselves for these changes in advance.
Andrew Breeze is a second-year trainee in IT, telecoms and competition at Taylor Wessing.