Where next for the new EU data protection regulation? by Stewart Room
The new European Union data protection regulation to replace the outdated 1995 directive will not be finalised before May's European Parliament elections.
The council of ministers’ lawyer is challenging the “one stop shop” principle, which is a major setback for the European Commission and humiliation for EU Justice Commissioner Viviane Reding, who has championed the reforms.
After 27 months of intense lobbying and debate, we are no closer to being able to say exactly what the future of the law reform process looks like or how it will affect business in the region - despite the European Parliament voting to adopt the draft legislation on its first reading on 12 March, to consolidate the work done so far and hand it over to the next Parliament. This means that MEPs newly elected in May 2014 can decide not to start from scratch, but instead build on work done during the current term.
But for many people in business, the outlines of the regulation set out in the proposed draft and what it will all mean, has become obscured by a storm of controversy.
The UK government is deeply opposed, and now that there is a storm of Euro-scepticism setting in across much of Europe, the draft regulation is likely to remain controversial for the foreseeable future.
A review of the draft in late 2013 by the Committee on Civil Liberties, Justice and Home Affairs (LIBE) unleashed even more debate that resulted in 91 amendments.
These in turn gave rise to further debate as the European Parliament sought to thrash out a final version of the regulation through a series of negotiations with member states.
Stewart Room, partner at law firm Field Fisher Waterhouse believes there will be a new law in the medium term because there is consensus across Europe and the data controller community that change is needed. However, he does not believe that a regulation is certain.
“I would much prefer to hedge my bets on an amended data protection directive of much less ambition than Viviane Reding’s model,” he told Computer Weekly.
But despite the confusion in the law reform process, Room says there is no reason for businesses to wait until the final version is agreed and published before taking any action - EU data protection regulators are acting as if the regulation were already in force on key points, so there will be no excuse for being unprepared when the new law comes into force, whatever its make up or complexion.
Room believes that the greatest effects will be around corporate governance and enforcement, which will involve a lot more red tape for businesses and costs that they will inevitably pass on to customers.
According to Field Fisher Waterhouse, after clearing away all the misleading and irrelevant clutter, there are 10 key features of Viviane Reding’s model that now need to be debated properly. These are:
1. 'One stop shop' versus 'lead authority'
The "one stop shop" mechanism - whereby local data protection watchdogs can act on behalf of all EU countries - has been replaced by the concept of a "lead authority", which will be responsible for consulting with the other competent authorities, taking their opinions into account and working towards an agreed position.
Room says this proposal is unlikely to satisfy global businesses because he sees the proposal as a “fudge” that looks good on paper. “There will still be too many regulatory views put into the system to call it streamlined and business friendly,” he says.
2. Increased fines
The draft has introduced significant fines and sanctions. Businesses that do not comply with the new regulation could be subject to fines of up to €100m or 5% of annual worldwide turnover, whichever is greater.
This is a significant increase from the original 2% proposed. Written warnings for first offences and regular data protection audits have also been proposed as an alternative to the standard financial sanctions.
Room says the new regime needs to focus more on positive incentives for compliance. “Presently there are none. This is a big mistake. Businesses often respond better to carrots than sticks,” he says.
3. Icon-based privacy notices
A new concept is the requirement for information to be provided to individuals in two ways: (i) in a yes/no icon-based table; and (ii) in a detailed notice.
This means it is highly likely that businesses will need to update all of their existing transparency mechanisms to meet this additional obligation, incurring unavoidable external costs.
“From an online shopper’s point of view there will be very little change except that privacy notices will be more prominent than before, but basic interactions with businesses online will essentially remain the same,” says Room.
Beyond this, users of online services are unlikely to be aware of any extra protection afforded by the new regulation. In fact, Room says it may take decades before any real benefits become obvious.
4. Privacy impact assessments (PIAs)
Businesses will be required to complete PIAs at least annually and in some instances the data protection officer or supervisory authority will need to be consulted. This is another example of increased administration and costs for businesses as a result of the proposals.
However, Room says that businesses do need to think hard about privacy risk. In the long run, he believes that businesses everywhere will see PIAs as part of the core business.
5. Increased threshold for appointment of Data Protection Officers (DPO)
The latest draft also introduces a requirement for all businesses processing personal data relating to 5,000 or more data subjects in any consecutive 12-month period, to appoint a DPO. It also introduces a two- or four-year minimum term for the DPO and they must also meet certain minimum criteria to be appointed.
Room is deeply critical of the DPO proposal. He does not see is as being evidence-based. “Businesses should have more flexibility about mechanisms they implement for monitoring compliance,” he says.
6. Territorial scope
The scope of the law has been extended so that it would also apply to businesses outside of the EU as long as they are processing personal data related to individuals established within the EU. This includes businesses processing personal data in order to offer services to or to monitor data subjects in the EU.
According to Room, this ultimately means that most website operators anywhere in the world could be captured and would be directly subject to EU law. But, in reality, the law firm says it is difficult to see how EU authorities would effectively monitor and enforce the regulation against non-EU businesses.
7. Distorted scope of international data transfers
The criteria for assessing adequacy has been amended, blurring the lines of what is acceptable in relation to data transfers to non-EU countries. However, Field Fisher Waterhouse believes for those businesses that frequently transfer personal data from the EU to third countries, they may be able to transfer data more freely if both the EU-based data controller and the non-EU recipient have been granted a valid European data protection seal.
8. European data protection seal (certification by authority or third party)
The latest draft encourages businesses to certify their data processing with a supervisory authority. When granted, the certification would be valid for up to five years and recorded on a public register.
Field Fisher Waterhouse says the primary benefit of this proposal is that it potentially provides businesses with lawful grounds for international transfers.
However, Room is sceptical about the viability of seal proposals. “Europe got it deeply wrong on e-signatures seals and killed the industry for trust certificates in Europe. My main concern is that business is too proprietorial to adopt seals, and trust authorities are too cumbersome or inefficient to scale,” he says.
9. Data breaches to be reported 'without undue delay'
The latest draft requires notification "without undue delay" as opposed to "within 24 hours"where there has been a data breach. There is also an obligation on supervisory authorities to maintain a public register of the types of breach notified.
This will place greater emphasis on the compliance function of most businesses to ensure internal policies and procedures are implemented and maintained.
“I am a big fan of breach disclosure as a theoretical benefit for consumers and the economy, but too much disclosure creates information overload. It is also worrying that breach disclosure could be merely creating a sausage machine for data protection fines,” says Room.
10. Consent must be freely given
Consent must be freely given and obtained for a specific purpose. Many have expressed concerns that to obtain "explicit" consent may not be achievable in many cases. However, the concept has been retained in the latest draft, so unless this is removed in the final stages, businesses and websites that currently rely on implied consent will face difficulties.
Considering the above 10 points, Room believes that core business processes will be affected little, with most changes relating to corporate governance and supervision.
“If the regulation survives, you will see a lot more red tape around corporate governance and much more regulatory intervention,” he warns.
This means businesses will have to spend more time each year on new processes that enable them to demonstrate they are taking reasonable steps to ensure all personal data is protected adequately.
If the regulation survives, you will see a lot more red tape around corporate governance and much more regulatory intervention
Stewart Room, partner at law firm Field Fisher Waterhouse
The most evident initial effect of the new regulation, therefore, is likely to be financial as providers of goods and services online pass those costs on to their customers.
The same is true when it comes to enforcement of the new regulations, which will, for example, require much more careful categorisation of data to ensure personal data is properly identified and protected.
The new regulation, therefore, would be likely to result in a lot more interference in business processes by data protection authorities.
This has led to some businesses questioning whether data protection authorities are to be trusted with the extra powers that will come with the new regulation.
In the UK, at least, the outlook is bright. Room says UK data protection authority, the Information Commissioner’s Office (ICO) is a much better regulator than it was back in 2011.
“I am seeing much more maturity in terms of enforcement which has led to a better understanding of business issues. From the business perspective, the ICO is to be congratulated,” he says.
However, Room says not all EU data protection authorities have matured in a similar way, which means some countries will see a marked increase in enforcement action.
Only once the maturing process is complete in all countries, he says, will the EU as a whole enjoy a better level of privacy with all data protection regulators working in partnership with business.