To describe the job of a data protection practitioner as "not always easy" would have been a considerable understatement in 2012. Such practitioners, whether in companies, law firms or in politics, faced many challenges during the course of last year, and many times received nothing but criticism. We want to look back at the developments of 2012, and take a sneak peak at the coming tides.
1. EU Regulation
In what was a busy new year, January 2012 saw the European Commission present draft reforms to the European data protection legal framework; a proposed regulation (the Regulation), and a directive. Of the two, theRegulation (intended to directly bind the member states to its European data protection rules) seems to be of the greatest importance. The first draft of the Regulation included: strengthened rights for the data subject, in particular the "right to be forgotten;" the right to data portability; the consent requirement; the requirement of appointing an internal data protection officer; and high fines for non-compliance with the new provisions - up to 2% of a company’s annual turnover. The Regulation’s scope extends to data controllers and processors that have a seat in the EU, but also to companies outside of the EU that process personal data of EU citizens in order to offer goods or services to them, or to monitor their behaviour.
The uproar was tremendous; the data protectors felt the draft was not strict enough, and the data users found it far too strict. All parties agreed that the administrative effort caused by the Regulation would be sizeable. The pros and cons of the draft were discussed at many forums and conferences, in part directly with the Commission members involved in drafting the regulation (for example at the Europe Data Protection Congress of the IAPP 2012 in Brussels). The Commission welcomed the comments and discussions, and presented a revised draft of the Regulation (the revised Regulation) in January 2013 (more on this below).
2. Cookie Regulations or Non-regulations
Directive 2009/136/EC, revising inter alia, the ePrivacy Directive 2002/58/EC, introduced new rules for the use of tracking technology, namely cookies. According to the new rules (in the amended article 5(3) of the ePrivacy Directive) the storage of, or access to, information that is already stored on the user’s end device requires the user’s consent, after the user has been provided with the information required under the applicable data protection provisions (in Germany: section 4(a) of the German Federal Data Protection Act). Exceptions apply only to such storage and access that is necessary to transmit a message (in the technical sense, thus not restricted to emails or similar messages), or to provide the requested services to the user. In plain language this means that cookies may only be used without consent if the company were unable to provide the services requested by the user without using the cookies. The implementation period expired in May 2012 – without Germany having taken any steps towards implementing the new requirements. Nevertheless, many website operators make an effort to comply with the requirements of the Directive and have already carried out comprehensive audits of their existing tracking technologies, have adapted the privacy policies of their websites, and generally attempt to provide the user with information on the use of such technologies. In doing so, it makes sense to look at the implementation of the Directive in other countries, for instance the guidelines issued by the UK Information Commissioner (www.ico.gov.uk) were amended (relaxed) very recently due to the increased awareness and knowledge of consumers about the topic (in particular, consent can now be granted implicitly). However, the storm has not yet quite settled and users of cookies are well-advised to adopt transparency as a major principle.
3. Employee Data Protection
At the end of 2010, the government published a first draft of a detailed introduction of employee data protection into the Federal Data Protection Act. This draft attracted a lot of criticism and remained a topic for discussion throughout 2012. However, its importance has since been downgraded owing to the introduction of other, more pressing topics. Even though the coalition wanted to induce a vote on an amended draft at the beginning of 2013, this hasty project was swiftly withdrawn consequent to public uproar.
4. Cloud Computing
Many companies are still drawn to the cloud, mostly due to cost considerations and the desire to have universally accessible information. While these are generally legitimate considerations and there are cloud solutions that comply with the European requirements and national legislation, these are rare and often require intense negotiations with the service providers. Such negotiations are often doomed from the outset, because of the cloud provider’s global concept that aims for a "one size fits all" solution, as this allows it to operate in the most cost efficient manner (owing to the controllable processor load and standard solutions). Lack in negotiation power, however, rarely provides a solid argument vis-á-vis the data protection authorities so the cloud user in Germany should carefully consider the cloud provider, and should contemplate (particularly for critical data) a European cloud. Whether the initial cost considerations then still justify the change, must be evaluated on an individual basis.
It seems that great things will happen in 2013. Although removed from the immediate agenda, a codification of employee data protection is not yet completely off the table. For multinationals the latest draft even resulted in a positive surprise because it suddenly contained a concern privilege. However, it seems rather unlikely that the draft will be voted upon within the current legislative period. Meanwhile, the draft European Regulation makes good progress, and it remains unclear as to how the "cookie Directive" will be implemented, enforced, or possibly neglected by Germany.
Companies are well-advised to prepare for the changes to come. Cookie audits and elimination of unnecessary cookies are certainly steps in the right direction. A review of the most recent draft of the EU Regulation already shows areas that will definitely result in a need for adaptation, for instance risk assessments. Companies therefore have the opportunity to get a head start by preparing for these already identifiable changes. Some may even consider the implementation of binding corporate rules – the creation and implementation of which is a lengthy process, but the basic considerations can be initiated in advance.
In conclusion, companies should, in general, be aware of the weight of these topics – which is only likely to increase. It is always a great advantage to know and guide the own data volume, its content and the data flow in detail.