Phone-tapping. Espionage. Whistleblowing. You could be forgiven for thinking this was the pitch for an Ian Fleming novel. However, these are not the headlines of 007’s next mission, but the backdrop to the EU’s ongoing attempts to overhaul its outdated Data Protection legislation.
The 1995 Data Protection Directive established data protection law in the EU, and was implemented into UK law in 1998 by the Data Protection Act. However, since then, technological progress and globalisation have fundamentally changed the way data is collected, accessed and used, leaving the law limping behind. Additionally, each of the EU’s 28 Member States has implemented the directive in a different way, making cross-border enforcement complicated to say the least.
The recent allegations of snooping by the US on the phone calls of EU leaders, and the disclosures of whistleblower Edward Snowden about US and UK spy programmes, have given this issue a new urgency.
The Proposed Legislation
Data protection legislation ensures that individuals’ personal data is processed within a legal framework of rights and duties which recognises the sensitivity of that data. The proposed, draft Data Protection Regulation has been designed to strengthen those safeguards particularly in relation to the online privacy rights of Europe’s 500 million citizens. Significantly, under current legislation, data controllers are responsible for ensuring that any data processors working for them are legally compliant; the draft law, for the first time, also places direct statutory liability on the data processors themselves for failure to comply.
Other key outcomes of the proposed Regulation are:
- Under the current proposals, companies in Europe will be subject to one law, a single Regulation, replacing the current fragmentation of laws;
- The territorial scope of the law has expanded: non-EU companies who control or are processing (i.e. data controllers and data processors) the personal data of EU citizens will now be subject to the new law;
- Restrictions have been on the ability to transfer to third countries: companies such as Google and Microsoft would no longer be able to pass data on a European citizen to a third country;
- New definitions have been inserted such as “encrypted data”, “profiling”, and “genetic data”, reflecting new concerns and concepts. “Sensitive Data” is newly defined in Article 9 and expanded to cover “gender identity” and a variety of sanctions;
- Processing personal data remains lawful if done for ‘legitimate interests’; A new Article on Data Subjects’ Rights proposes that data controllers provide data subjects with direct access to their personal data via a secure system. Controllers are given 40 days to respond to requests from data subjects;
- Data subjects have been provided with a number of new ‘rights to know’ such as, if there are joint controllers, the “essence of the arrangement” should be made available to them, and whether personal data has been disclosed to a public authority.
- If more than 5,000 data subjects in any 12 month consecutive period are being processed by a company, it must appoint a Data Protection Officer (DPO). This is also the threshold for a Data Protection Impact Assessment (PIA). Further, where special categories of data, location data, data relating to children or employee data in large scale filing systems is processed, a DPO will have to be appointed;
- A company’s ability to profile users of its services automatically will be limited; instead it will require the prior, explicit consent of the individual whose data it intends to process;
- Data subjects will have the “Right to Erasure”, i.e. the right to withdraw consent, in which case a company must erase their personal data if requested (although this obligation has been watered down in recent amendments);
- Designated data controllers and processors will have an obligation to notify authorities of data breaches without delay, within 72 hours in most cases. Supervisory authorities will have a new duty to maintain a public register of the types of notified breaches;
- The activities of the European Data Protection Board (EDPB) have been expanded to imposing decisions of national supervisory authorities if necessary, issuing guidelines, and other codes for best practice;
- The current draft allows regulators to impose penalties of up to the greater of €100m or 5% of annual worldwide turnover for serious breaches.
Points of View
The proposed legislation was approved on 22 October 2013 by the EU’s Civil Liberties Committee (LIBE) by 49 votes to 3 (one abstention); the necessary first step to the proposal becoming law. The next step, obtaining agreement of the EU’s 28 Member States, will be a more fraught affair.
The UK Government: In the UK, there is general consensus that strengthening the law in favour of protecting the individual is a good thing; however, there is debate on just how far the legislation should go. The UK Government has had to play a delicate balancing act to ensure that it addresses the concerns of our commercial sector, the human rights lobby, and our US friends.
The UK Government has had to navigate through these diverse positions, and in November 2012, the Ministry of Justice published an extensive report on the proposed Regulation giving its view: ‘The UK Government are seriously concerned about the potential economic impact of the proposed data protection regulation… a further serious issue is the possibility of stifling innovation through prescriptive and inflexible rules on gaining individuals’ consent…’
The Business View: There is mixed reaction from the business community, although the majority view is that it is ‘over prescriptive and imposes unnecessary administrative burdens on Britain’s businesses at a time when Government should be doing the very opposite. The Federation of Small Businesses (FSB) observed that: ‘if you prescribe in too much detail, you don’t leave room for industry to develop their own standards or find their own solutions.’
Microsoft stated itself to be: ‘very surprised to find that a lot of new burdens were imposed on them, without receiving any new rights and new incentives’.
The UK Regulator: The Information Commissioner’s Office itself, the UK regulator on data protection issues, commented that the draft Regulation ‘would have considerable resource implications for all supervisory authorities.’ Fears were expressed that the ICO would be unable to keep up with the demand to respond to requirements such as receiving breach notifications and approving international transfers of data.
The US: The view across the pond is also one of reserved hostility. Washington has ‘actively been trying to water down the draft law through aggressive lobbying (which catches US companies if they are processing data of EU citizens) ‘by making US companies de facto exempt from it.’
Consumer Groups: On the other side of the argument, EU consumer groups are complaining that the proposals do not go far enough. French consumer group, La Quadrature du Net, worries that ‘there are some big loopholes that could void the effectiveness of the whole legislation’. For example, it highlights draft wording such as ‘legitimate interest’ as too vague, and could supply businesses with an easy and undefined defence to collecting and processing personal data. Are, for example, the purposes of providing a better service, a legitimate interest?
Future Progress of the Bill
Now that the LIBE Committee of the European Parliament has approved the draft legislation, the European Parliament must hold another vote, involving the agreement of all 28 Member States of the EU. This final vote was due to take place in the European Parliament in 2014, but the UK Government has fought to delay the passing of the legislation, and in October 2013 succeeded in doing so until 2015. On the assumption that there will be a two year implementation period (and this may be wrong), the new legislation may be in force by as late as 2017. However, we would advise organisations to prepare for implementation as early as 2015/16.