With the advent of social networking, cloud computing and smart cards we now leave digital traces with every online transaction we make. As a result, the European Commission has declared that we need to ‘future-proof’ our data protection rules, modernising the regulatory framework in line with the developments in the technologies it governs.
When we consider the statistics cited by the Commission (17 years ago less than one per cent of Europeans used the internet while today more than 250 million people use the internet daily in Europe), it is clear that the Commission has a point. The current rules fail to provide the necessary degree of harmonisation and efficiency to protect individuals’ personal data. Reform, therefore, is clearly overdue.
What are they proposing?
The last time the Commission came up with laws on data protection it proposed a Directive. As a result of the way in which the Directive has been implemented in the Member States (in the UK we implemented it with the Data Protection Act 1998) there are 27 similar, but different, data protection laws within the EU. With this experience in mind the Commission this time proposes to implement the new laws by way of a Regulation (there is also a Directive but it deals with personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities) which should, in theory, result in greater harmonisation.
The aim of the Regulation is to make life simpler – for example data controllers (those processing the data) will only need to notify their activities in one Member State. Equally individuals will be able to take their complaints or queries to their local supervisory authority even when the activity regarding their personal data is being carried out in another Member State.
Other highlights of the proposals:
- A requirement to notify national authorities of serious data breaches within 24 hours, if possible;
- Easier access to, and transfer of, personal data for individuals – the “right to data portability” ;
- A requirement for any consent to data processing to be explicitly granted rather than assumed;
- A ‘”right to be forgotten” to enable individuals to better manage data protection risks online and to delete their data where there is no reason for it to be retained; and
- Strengthening of powers of data protection authorities- granting broad investigative powers and the ability to impose fines of up to two per cent of worldwide turnover.
Initial reaction suggests mixed views on what is being proposed. Whilst the aim is to simplify matters for those doing business in Europe there is a feeling that it does not achieve its aim of being “future-proof” and in particular does not take into account the way in which data is transferred on a daily basis internationally. For example the Information Commissioner’s Office (ICO) has welcomed a number of the proposals – particularly where it seeks to strengthen individual rights. However the ICO has noted that in many respects “the proposal is unnecessarily and unhelpfully over prescriptive. This poses challenges for its practical application and risks developing a “tick box” approach to data protection compliance.” The Commission has set a two-year timetable for reaching agreement on the proposal so it will be interesting to see how these proposals develop if the Commission is going to keep to this deadline.