EU Data Protection Proposals

Since 2010 the EU Commission have been drafting a new version of the Data Protection Regulations, to update them to reflect modern technologies and to change the Regulation into EU law by making it into a Directive.

In March 2014, the European Parliament voted strongly in favour of the draft directive (621 votes in favour, 10 against, including the UK and 22 abstentions), which would unify data protection laws across the whole of the European Union. However, in a recent survey carried out by Trend Micro, half of UK public sector organisations are unaware of a proposed European regulation which would increase data protection requirements and increase the level of fines for breaches.

Currently the Information Commissioners Office can fine public sector bodies and companies a maximum of £500,000 for breaches of UK data protection laws. The draft proposals would see this increased to €1 million (£824,000), although the European Parliament is pushing for this to be raised to €100 million.

The draft regulation will update the principles set out in a 1995 directive in order to keep pace with major changes in data processing brought about by the Internet. It would cover, for example, data processed on the Internet, e.g. within social networks, online shopping and e-banking services.

The data protection reform package consists of two draft laws, a general regulation covering the bulk of personal data processing in the EU and a directive on processing data to prevent, investigate, detect or prosecute criminal offences or enforce criminal penalties.

The Commission’s proposals will now be passed on to the European Parliament and EU Member States (meeting in the Council of Ministers) for discussion. Once adopted, member states would have 2 years to bring the regulation into effect and transpose the directive into their national laws.

Personal data will now include any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address. The EU Charter of Fundamental Rights says that everyone has the right to personal data protection in all aspects of life; at home, at work, whilst shopping, when receiving medical treatment, at a police station, or on the Internet.

Key changes in the reform include:
• A single set of rules on data protection, valid across the EU. Unnecessary administrative requirements, such as notification requirements for companies within individual countries will be removed. It is alleged that this will save businesses around €2.3 billion a year.
• Instead of the current obligation for all companies to notify all data protection activities to data protection supervisors – a requirement that has led to significant paperwork and estimated costs to businesses of €130 million per year, the Regulation provides for increased responsibility and accountability for those processing personal data.
• For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours).
• Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU. Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed.
• People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). This will improve competition among services.
• A ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate grounds for retaining it.
EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.
• Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company.
• A new Directive will apply general data protection principles and rules for police and judicial cooperation in criminal matters. The rules will apply to both domestic and cross-border transfers of data.

Although there is some difference of opinion over the details, (3000 amendments are currently tabled) there is a common political consensus that the European Union needs a modern, European-wide approach to data protection law. A paper published by the European Council (representing each Member State), on 25 October 2013 stated that the new data protection law should be adopted by 2015 in order to advance the digital Single Market. However, progress to date has been slower than anticipated, and hoped for, by the Commission – the law has not yet been adopted and it is expected that discussions will continue until at least 2015.

Some Member States such as the UK and Germany, although supporting data protection reform, favour watering down the proposals and implementing the reform by way of a directive. Such Member States are of the opinion that the new law is over regulating and would result in a lower level of protection than under their current data protection law.

Due to the way the law has to be passed within the EU – by agreement of each of the three independent bodies, the European Parliament, the Commission and the Council, each of which can propose amendments. The extent of the amendments made by the European Parliament’s representatives (3000+), together with the Council’s silence on its position has meant the likely final draft is less clear. So, at this current moment in time, there is still confusion when a final draft and its introduction will be introduced.

There is also the issue that some Member States have criticised the proposal for not adopting a more modern approach especially towards on-line business and the internet. The new law is supposed to provide answers to future as well as current questions, however many stakeholders believe that the new law, just recycles the old EU Data Protection Directive.

At this present moment in time it is unclear if the next European Commission will focus on the new law with the same determination as Viviane Reding, the current EU Commissioner for Justice, Fundamental Rights and Citizenship, and the newly elected European Council, may lose the momentum for reform

Although the EU have stated that the new law will save business billions of Euro’s per year, what has not been discussed is the estimated number of increased complaints to National Authorities with the “Right to be Forgotten” and the impact that will have on every search engine provider, social network site and of course the cloud. There is also the issue of non-European companies that hold European citizens data, how will this be policed, especially if they have to notify the appropriate authority if they have suffered a data breach.

Finally, where do we go from here? No doubt law firms that specialise in EU law will be planning on how they can feather their nests, if and when the new law comes into being. However the soundest advice has come from the Information Commissioners Office, David Smith the Deputy Commissioner, who quoted: “In the meantime the best way that organisations can prepare for the new regime is to make sure that their data protection houses are fully in order under the current regime.