Practice Compliance analysis: The EU's proposed general data protection Regulation is being much debated and is the subject of a recent review by London Economics, carried out for the ICO. Howard Ricklow, an intellectual property and media and entertainment partner of Collyer Bristow, comments on the EU's proposals.
There is a lack of understanding across business around the proposed EU data reforms, with 40% of companies not fully understanding any of the ten main provisions being proposed. This is one of the results of an independent survey commissioned by the Information Commissioner's Office (ICO), which also found 87% of businesses are unable to estimate the likely costs of the draft proposals to their business.
What are the key proposals and what are they trying to achieve?
The proposals are quite extensive and have generated a great deal of debate and concern. The EU Council's Justice and Home Affairs Committee have published a draft compromise text of the Regulation. Their approach generally has been for a more pragmatic business friendly regime. The stated aims of the Regulation, as set out in the Recitals, are to enhance the on-line privacy rights of individuals, reduce legal fragmentation in the area, increase consumer confidence and remove barriers to business.
There are some key proposals which have been much discussed. One of these is the removal of the Subject Access Request fee. Presently, data subjects have to pay a £10 administration fee to get access to data stored about them which is thought to deter frivolous enquiries. It's thought that the change may lead to more requests and that could place additional burdens on business, especially small businesses. Another is the meaning of 'personal data'. Presently, organisations may process information on individuals who cannot be identified from that data or other data which the data controller has. The Regulation extends this to cover situations where the data subject can be identified by, for instance, 'on-line' identifier. This is assumed to mean, eg IP addresses, cookie identifiers, etc. Business is concerned that this will increase the extent of data protection.
One proposed change of major concern is the replacement of 'consent' for the processing of data of the data subject to 'explicit consent'. It's been suggested that this be modified to a more manageable 'unambiguous consent'. Also there may be an extension of the legislation relating to 'sensitive personal data' (eg racial origin, political opinions, health condition) where explicit consent to its use must first be obtained. The inclusion of 'biometric and genetic data' is being proposed. Again, the question is what will this mean and what additional burdens its inclusion will place on business. Article 17 deals with the so called 'right to be forgotten', under which a data subject can require a data controller to erase personal data relating to them. In addition the data controller will have to take all reasonable steps to inform third parties which are processing that data to also carry out the erasure of links and relevant data. This is considered to be over ambitious and impractical, especially given how quickly data can be copied and distributed.
Another important introduction under the Regulation is that data controllers will be required to notify the supervisory authority (ie the ICO) of any breach within 24 hours of becoming aware of it. It's being proposed by the Council that this should be extended to 72 hours. A proposed increase in possible fines for breach is also attracting criticism. Fines will be increased from£500,000 to £1 million or 2% of annual turnover worldwide which may be considered to be quite draconian.
Another section of the Regulation relates to the extension of the geographical scope of the law. The Regulation will apply to data controllers outside the EU, where the processing activities are in any way related to services or goods that are offered to data subjects in the EU; or the monitoring of their behaviour. This would be a major change and would impact on many non-EU businesses. The Council is proposing that both the language and currency used on a website must be considered when determining whether there is 'offering of goods or services' to EU data subjects and the 'monitoring of data subjects' behaviour' be restricted to behaviour taking place within the EU.
How could the proposed reforms impact on law firms?
Law firms will need to take note of the new regime in the same way as other organisations. Solicitors are generally already aware of their data protection obligations and in addition are bound by confidentiality and conduct rules. Solicitors firms that actually do business on-line and who may be storing more personal data and perhaps sharing it are likely to have more to think about. Firms advising in the area can on the other hand also expect to get increased regulatory advisory work out of the proposed new regime.
Many estimates on the cost of the new regime to business are being suggested. The Ministry of Justice has suggested it could cost business here between £80 and £320 million a year. There is a fear that the added cost of compliance may put EU based businesses at a competitive disadvantage or that the costs will be passed onto EU consumers.
What should firms do next?
There may be some slippage on timing on the introduction of the new regime but it's scheduled to come into force in 2015. However, we know from previous run ups to legislation (eg Companies Act 2006) how quickly time passes and all organisations processing personal data, including law firms, should undertake an audit of their current data protection measures. It's likely there will be some tweaking and some changes but the core of the Regulation is unlikely to be substantially changed. Law firms generally are aware of the legal requirements regarding data processing and confidentiality and can be expected to broach the necessary changes very quickly.
Are there any trends emerging in this area?
In my experience, there's a developing trend for businesses to take data protection more seriously. There has been increased publicity regarding businesses which breach data protection legislation and the substantial fines being imposed. Even smaller businesses are aware that they must be rigorous about compliance including compliance when they share data with organisations outside the EAA. I expect as a result of the publicity the regarding the new regime that lawyers will be kept busy advising on compliance.
Politically of course, there are those who are pointing to increased regulation as a negative aspect of EU membership for the UK. But the claimed motivation for greater regulation of this sort is also to improve standardisation which can assist business. A balance has to be struck between allowing businesses to function efficiently and protecting individuals. Some countries (including the UK), have suggested that the new rules be contained in a Directive rather than a Regulation but I suspect that the Commission will try to resist this to avoid any divergence under particular countries' Regulations.
Interview by Diana Bentley.
This article first appeared on Lexis®PSL IP & IT 24/06/2013