European Commission reveals data protection proposals. Points to note.

Date: 02/02/12

The European Commission released its proposals for an overhaul of the EU data protection regime on Wednesday 25th January. Although this was the first official release of the proposals, a draft was leaked online last December and the content is broadly similar. Now some of the dust has started to settle, we recap the highlights.

The current position

The current data protection rules are starting to creak. To put things into perspective, the current UK regime is based on an EU directive developed 3 years before the incorporation of Google, 9 years before the launch of Facebook and 11 years before the first tweet.

Whilst the UK regime has managed to remain relatively flexible and relevant, thanks to the continued guidance and shepherding of the Information Commissioner’s Office (ICO), it is generally felt that the law is in need of updating in light of the exponential growth of the internet, social media and online advertising, advances in technology and the emerging risks to peoples’ personal data.

Although an update is widely welcomed in principle, the proposals are proving controversial. The general consensus of the online industry is that, in an attempt to protect the individual, unreasonable and unworkable burdens risk being placed on organisations, and EU talk of cost savings when more prescriptive obligations are being introduced, is misconceived.

Highlights of the proposals

Against this background, what are some of the most important points to note from the proposals and what might the UK data protection regime look like in the future?

A uniform EU regime - It is proposed that the new rules are implemented by an EU regulation rather than a directive. This means that the new law will be directly in force in the UK when the regulation is passed; a directive obligates member states to pass their own implementing laws. This approach should produce a uniform set of data protection rules across the EU, rather than the fragmented system we currently have.

Consent must be explicit - Under the new proposals, where consent is needed to process personal data, that consent must now be “explicit”. This consent, as under the current rules, must also be informed and specific.

This changes the current position; where consent is sought it is often obtained implicitly though the ability of a person to “opt-out”. The need to obtain explicit consent will be a bitter pill for some organisations to swallow.

If this proposal is carried through to the final rules we can expect some organisations to try innovative ways of obtaining consent and more likely than not, some falling foul of the regulations.

All other criteria for lawful processing of data remain untouched from the current directive in force and include, amongst others, the necessity of processing for the performance of a contract and necessity for compliance with a legal obligation.

The right to be forgotten - This point is particularly contentious.

Under the proposals a person will be able to request that an organisation erases all of their personal data if the data is no longer necessary for the purpose for which it was collected, or if they withdraw their consent to its use.

Where organisations have made the data public they must also take all reasonable steps to inform third parties who process this data of the individual’s request for removal. How this would work in practice is still very unclear. When someone updates a social media profile this information can be disseminated far and wide through the web; the practicalities and burden of looking to ensure the erasure of such data seem, on the face of it, extremely testing.

The ability to transfer electronic data - This right allows a person to obtain a copy of any of their data from an organisation so it can then put it into another system. It derives from the idea that if you are putting your data onto a service, you should have a right to take that data to another service if you so wish.

One of areas this is targeted at is social media. The battle between Google+ and Facebook is well documented, and both parties have previously acted to restrict the others’ access and compatibility with their services and the data held on them. If these rules come into force it has the potential to punch holes in the walls of these services’ currently ring-fenced networks.

Reporting data protection breaches - An organisation must notify the ICO without “undue delay”, and where possible, in less than 24 hours of any personal data breach. If notification takes place outside of this 24 hour window then it must be accompanied by a “reasoned justification”. Affected individuals must also be told without “undue delay” if their personal data might have been put at risk.

This has been introduced in response to a number of high profile data breaches in the last year, where the breach has not been notified to the authorities or the persons affected until some time after.

There are real concerns that this rule is overly onerous and is not helpful in the handling of situations where data breaches occur.  Firstly, there is no element of materiality within the regulations, which may lead to unnecessary administrative burden. On the face of it all data breaches must be notified to the ICO in 24 hours, however small. Secondly, if a large data security breach does occur, especially a hacking attack, an organisation will have to plough all resources into investigating, stopping and shoring up the hole as fast as possible. Being obliged to notify the ICO and inform individuals in parallel, in particular when the picture would be very unclear, would arguably distract from this most vital of tasks, and potentially even exacerbate confusion and resourcing issues.

It is possible that we will see a heavy reliance on notification outside of 24 hours accompanied by a reasoned justification, but what would be accepted is unclear.  It is to be hoped that guidance will address such issues in future.

Changes to administrative processes - An organisation will have to document all of its processing. This is intended to replace the general obligation to register with the ICO. The documentation would have to be made available to the ICO on request.

The European Commission believes this proposal will reduce the administrative burden on companies and are talking of savings of €130 million as a result of measures like this cutting red tape; needless to say, not everyone agrees.

A Data Protection Officer - If an organisation employs 250 people or more or regularly monitors personal data, they will be required to appoint a Data Protection Officer (DPO). It will be the DPO’s role to advise on and monitor all data protection issues and maintain the required documentary records.

VERY BIG sanctions - There is a new staggered regime of fines for intentional and negligent breaches, which in a worst case scenario rise to 1m EURO for individuals and 2% of annual worldwide turnover for organisations; a massive increase over the current £500,000 ICO cap. Interestingly, the highest level of fines does not apply to the right to be forgotten (where fines would rise to 1% of annual worldwide turnover), but will catch, for example, non-compliant foreign data transfers and failure to notify the ICO of breaches. 

Is it time to future-proof?

The first thing to say is that we are still very much at the proposals stage. The regulations are to be passed on to the European Parliament and EU member states for discussion shortly, and will then go through the EU legislative process.  The best guess is that they will become law in 2014 or 2015, after a 2 year transition period.

During this period, the regulations will probably evolve, but it is virtually certain that they will eventually be passed in a form which affords greater protection to individuals.

Let’s not forget, these proposals were leaked last year, and despite pressure, the majority of the most controversial ideas have remained.

In the meantime, it is worth making sure your house is in order concerning the use of personal data. Whilst the new regulation are a significant evolution of the current rules, they are arguably not revolutionary, so adhering to best practice now is likely to put you in good shape for adapting to the new regime when it arrives.

For more information please contact Rob Machin on 0161 604 1676 or email robert.machin@dwf.co.uk