Why do you need to act urgently even if you feel your data handling is compliant? If you are a US headquartered company do you need to bother with these new EU laws and significant changes proposed?
2013 has already seen the frenetic pace of change from last year continue regarding new data laws and fines that will affect how all companies, regardless of business sector, use employee or customer data. The European Union, confirmed in the January 2013 Albrecht report, is indeed planning to dramatically amend its EU Data Protection Directive with a new Regulation.
This will tackle recent developments in social media, mobile apps and cloud computing as well as deal with a perceived serious lack of compliance thus far, particularly over use of customer data, lack of proper consents and more invasive marketing and advertising. Some were hoping that after much discussion and lobbying some of the more serious proposals might be further watered down or deleted, such as the "nuclear" 2% of global turnover/revenue fine for serious breaches of EU data law. However, the recent report from the EU Parliament's Jan Philipp Albrecht confirms the perceived need for even tougher fine levels and more aggressive enforcement. This is all on top of recent changes which saw fines dramatically increased in a number of EU countries, for example in the UK with new powers to issue fines of up to £500,000 (approx $800,000) per breach, and increased fine levels being pursued in France, Spain and so on. These major fines are not theoretical or proposals. They have already come into force and are being used. The "nuclear" option will be in addition.
Other hopes from some in industry that new proposed rights such as that "to be forgotten" might fade away were also dashed. Businesses will have to consider seriously what the impact will be of such changes and also note that such proposals have also highlighted existing requirements, such as not holding onto data for longer than necessary, which are already law and which enforcers are looking to more closely. This, along with the new Binding Corporate Rules (BCRs) for data processors that took effect on 1 January 2013, are just some of the recent changes with respect to privacy in the EU that need immediate attention and consideration even if the business is not EU based.
This week many stakeholders are meeting in Washington DC to take part in a major conference (as is your author) on such issues and it will be interesting to see if the feedback from industry sessions makes its way into deliberations and further fine tuning of the proposed new Regulation. Some further twists and turns are likely but the core new elements will almost certainly not be going away. What is certain is that companies cannot assume they are fully on top of what is arguably the fastest moving area of the law currently. A review of where the business is now and identification of what needs addressing is without doubt a current business imperative.
For an overview of some of the recent changes click here to see a recent Legal Week article.