EU Data Protection Regulation

The biggest changes are around securing of consent to hold data, with more situations where consent will be needed, and there will be much stricter controls to enable portability of data and the right to be ’forgotten’.

And whilst the new regulation will place additional demands on companies, all should benefit from a simplification of cross-border trading, and smaller businesses will be exempt from some of the requirements.

The draft EU Data Protection Regulation IP-12-46 was published for discussion in 2012 and despite proving to be a contentious subject, won an overwhelming vote in the European Parliament last month (March 2014), an irreversible step towards its adoption.  The remaining stage is approval by the European Council, comprised of ministers of EU member states, which is expected by the end of 2014, with the Regulation becoming fully effective by 2016.

The over-arching aim is to harmonise data protection across all EU member states, and although the fine detail is yet to be finalised, being an EU Regulation, rather than a Directive, it will become law without the need for any national legislation in the 28 individual EU countries.

Business has learnt to harness the potential of personal data and when it is collected, analysed and moved, it acquires enormous economic value – according to the Boston Consulting Group, the value of EU citizens’ data was €315 billion in 2011 and has the potential to grow to nearly €1 trillion in 2020. The planned Regulation embodies comprehensive reform of the 1995 EU data protection rules that the EU says is necessary to strengthen protection for this data to keep pace with change.

As EU Justice Commissioner Viviane Reding said when she announced the Regulation, referring to the changed digital environment that has emerged since the 1995 data protection directive, “Seventeen years ago, less than 1% of Europeans used the internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds.”

The background to the new law is the recognition that in the digital age, the collection and storage of personal information is essential, with data used by all businesses, from the corner shop to banks, as well as social media sites and search engines.  Globalisation means that the transfer of data between countries has become a fact of life.  In announcing the draft Regulation, the EU pointed to the lack of borders online and how cloud computing means that data may be sent from Berlin to be processed in Boston and then stored in Bangalore.

The personal data covered by the Regulation is set out as being any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address. The EU Charter of Fundamental Rights says that everyone has the right to personal data protection in all aspects of life: at home, at work, whilst shopping, when receiving medical treatment, at a police station or on the Internet.

To better secure this information, the new Regulation is based on what the EU has described as four main ‘pillars’.

The first is one continent, one law and this sets out to overcome the patchwork of country-wide legislation that currently exists across the EU, which has resulted in lack of uniformity in application of the provisions of the original 1995 Data Protection Directive.  In future, all businesses doing business in Europe will comply with a single European law and the EU reckons this will save business across Europe €2.3bn a year.  Costs will be harmonised, overcoming current anomalies where different countries charge different amounts for the same thing, and penalties will also be the same in all countries.  The bad news is that the original penalty proposal by the EU has been beefed up by the European Parliament, which has recommended that Regulators in each of the EU countries be given the power to levy fines for breaches of up to €100,000,000 or 5% of annual worldwide turnover, whichever is greater.   But for smaller businesses, those categorised as SMEs, who are not involved in data processing as a core activity, there will be no penalty for a first offence or non-intentional breach.

The second is that non-EU data controllers will have to comply with EU data protection law where their processing relates to goods or services offered to European citizens; or where data is being used to monitor EU citizens in any way.  This has been designed to ensure a level playing field between European and non-European businesses and extends to include IT providers, who must ensure their systems are designed to enable their customers to comply with the Regulation.

The third pillar is a strengthening of the rights of EU citizens to have their data ‘forgotten’ or erased.  As well as requiring a data controller to delete the data they hold, it also extends that obligation to securing deletion by a third party that the data may have been shared with, although this can be simply an email to the third party.  What it does not do, is give anyone the right to re-write history.  The request for deletion must be on the ground that the data is no longer relevant – so, for example, someone could not ask for deletion of data if they are still in a contract with the company.  The press and scientific researchers will have special powers of exemption from most aspects of the requirement to be ‘ forgotten’.  The EU also hope that by having a single framework across Europe, this should enable a new era of pan-European medical research, which will not be constrained by the different data regulations of the different member countries involved.

Fourthly, the idea of a one-stop-shop should simplify things for data controllers of companies operating across multiple EU states as they will no longer have to comply with the individual requirements of each country involved.  Instead, compliance will be governed by a single lead authority.  Where an organisation operates across more than one member state, or where personal data from several member states is processed, an organisation can select which of the 28 will be their lead authority, and deal with just that one.   The EU suggests that the simplification should allow greater opportunity, particularly for smaller businesses, to break into new markets, knowing that they do not have to deal with any different regulation or associated costs. It will also simplify matters for EU citizens; in future if there is a problem, they can raise it with the regulator in their own country, even though it may have arisen through dealings with a business operating elsewhere in the EU.

On the ground, what do the changes mean for business and what can be done now?

All the predictions are that implementation is going to cost more than the current arrangements, so making allowance for the likely costs in budgeting certainly makes sense.  As well as making provision for potential costs in future budget plans, it’s also worth taking a careful look at any major IT-related development already going through, to future-proof such investment as far as possible.  The underlying principle of the new Regulation is that data protection should be by design, rather than by default.

So, it’s worth considering, for example, that when the new law comes into effect, the requirements covering business processes, particularly in relation to e-commerce, will place a bigger emphasis on obtaining consent for personal data use.  Existing processes are likely to need to be changed to secure the explicit consent that will be required.

The other big change around portability and deletion of data is also likely to affect the structure of any future data management.  Businesses will need processes that allow for these rights, and there is still some uncertainty over what may be required in practice but they include, for example, the right to demand a file of personal data in a format that can be transferred to another service provider.

For bigger business, the shift from a risk-based approach to a compliance approach, and the need to appoint an internal data protection officer, is likely to translate into a red tape burden that costs more to manage.   Rather than assessing the risk, there will need to be detailed records that document the measures taken to ensure compliance.  There is also a requirement to advise the regulating authority of any data security breach, ideally within 24 hours of identifying the breach, irrespective of any risk assessment.   Individuals will also have to be notified if there has been a breach involving their information.

These compliance requirements are reduced for SME companies, who will not have to appoint a data protection officer, unless data processing is their core activity.  They will no longer have to provide notifications to the regulator, a requirement under the 1997 Directive, and will not need to undertake impact assessments unless there is a specific risk.  Generally, compliance requirements will be calibrated to suit the extent of their activities, and will not be the same as for a multi-national corporation.

Whilst there may be a temptation to ‘wait and see’ exactly what is required, there’s enough information to hand following the sign off by the European Parliament for business to know that any systems-related development is going to have to be more flexible in future to deal with the demands of 21^st century European-wide data protection.

And it’s not all bad news and red tape.  The sunny side is the business potential of a market with a single set of regulations across 28 countries, particularly for smaller business.

http://europa.eu/rapid/press-release_MEMO-14-60_en.htm 

http://europa.eu/rapid/press-release_MEMO-14-186_en.htm
http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en
EU draft Regulation 2012 IP/12/46 http://ec.europa.eu/justice/data-protection/
EU 1995 Data Protection Directive (95/46/EC)

This is not legal advice; it is intended to provide information of general interest about current legal issues.