New regulation on data protection and data processing is likely to hit the EU statute books in 2014. Here we provide an update on what companies should be thinking about in the run-up to implementation, which is likely to be in 2016.
New European regulation is set to boost individual data protection rights, leading to a more complex data processing environment for business, with much tougher penalties for non compliance.
The biggest changes are around securing of consent to hold data, with more situations where consent will be needed, and there will be much stricter controls to enable portability of data and the right to be ’forgotten’.
And whilst the new regulation will place additional demands on companies, everyone should benefit from a simplification of cross-border trading, and smaller businesses will be exempt from some of the requirements.
The draft EU Data Protection Regulation IP-12-46 was published for discussion in 2012 and despite proving to be a contentious subject, won an overwhelming vote in the European Parliament last month. The remaining stage is approval by the European Council, which is expected by the end of 2014, with the Regulation becoming fully effective by 2016.
The aim is to harmonise data protection across all EU member states. The Commission has therefore taken the step of dealing with this issue by means of an EU Regulation, rather than a Directive, which removes the need for implementing legislation in the 28 individual EU countries.
Business has learnt to harness the potential of personal data and when it is collected, analysed and moved, it acquires enormous economic value – according to the Boston Consulting Group, the value of EU citizens’ data was €315 billion in 2011 and has the potential to grow to nearly €1 trillion in 2020.
As EU Justice Commissioner Viviane Reding said when she announced the Regulation, referring to the changed digital environment that has emerged since the 1995 data protection directive, “Seventeen years ago, less than 1% of Europeans used the internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds.”
The background to the new law is the recognition that in the digital age, the collection and storage of personal information is essential. Globalisation means that the transfer of data between countries has become a fact of life. In announcing the draft Regulation, the EU pointed to the lack of borders online and how cloud computing means that data may be sent from Berlin to be processed in Boston and then stored in Bangalore.
The personal data covered by the Regulation is set out as being any information relating to an individual. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.
To better secure this information, the new Regulation is based on what the EU has described as four main ‘pillars’.
The first pillar is one continent, one law and this sets out to overcome the patchwork of country-wide legislation that currently exists across the EU. This arises from the lack of consistency in implementing the original 1995 Data Protection Directive (implemented in the UK as the Data Protection Act 1998). In future, all businesses doing business in Europe will comply with a single European law. The penalties for breach of the new legislation will also be increased to up to €100,000,000 or 5% of annual worldwide turnover, whichever is greater. But for smaller businesses, those categorised as SMEs, who are not involved in data processing as a core activity, there will be no penalty for a first offence or non-intentional breach.
The second pillar is that non-EU data controllers will have to comply with EU data protection law where their processing relates to goods or services offered to European citizens; or where data is being used to monitor EU citizens in any way. This has been designed to ensure a level playing field between European and non-European businesses and extends to include IT providers, who must ensure their systems are designed to enable their customers to comply with the Regulation.
The third pillar is a strengthening of the rights of EU citizens to have their data erased. As well as requiring a data controller to delete the data they hold, it also extends that obligation to securing deletion by a third party that the data may have been shared with, although this can be simply an email to the third party.
The forth pillar is the idea of a one-stop-shop which should simplify things for data controllers of companies operating across multiple EU states. They will no longer have to comply with the individual requirements of each country involved. Instead, compliance will be governed by a single lead authority, which the company can select. For example, if the company’s European HQ id located in the UK, then the company will be able to select to only deal with the Information Commission in respect of data protection issues.
On the ground, what do the changes mean for business and what can be done now?
Unfortunately, quite a lot of the final detail still needs to be fleshed out and so firm arrangements to ensure compliance are difficult to implement. However, there are a few things that businesses can do to prepare:
– Consider whether additional consent is needed for any data or categories of data that your business processes and consider how you might need to change your data gathering processes to secure this.
– If you are investing in any new IT or data management systems, think about how the changes might alter what you need it to do. Then ensure the new system is future proofed.
– Think about using this as an opportunity to strip out any unused data and only keeping what you need and use.
Web site content note:
This is not legal advice; it is intended to provide information of general interest about current legal issues.