The draft EU data protection Regulation has caused much debate, but is it too early to prepare for implementation?

What is happening?

The majority of the EU Commission’s proposals were set out in a draft Regulation published in January 2012. The Commission’s intention was to replace the existing laws passed in 1995 with a regime better suited to developments such as e-commerce, social networking and cloud computing. The Commission’s stated aim is for the new regime to provide individuals with more control over their personal data, fostering confidence that such data will not be compromised in their online activities, which will in turn support growth and innovation.  

While organisations should be aware of the proposals’ potential reach, significant negotiations are still ongoing at EU level over the direction that the legislation should take. The draft legislation is likely to be subject to further amendment before it is passed into law.

When will the new laws be in force?

As the draft regulation envisages a two year period for organisations to plan for implementation, it is unlikely to be in force in the UK before 2016 at the very earliest. The exact timing will depend on further debates and negotiations at EU level, as referred to below.

What were the Commission’s main proposals?

The headline proposals were:

  • Providing data subjects with a “right to be forgotten”, subject to certain limitations, such as where the data controller is subject to a legal obligation to retain the data.
  • That whenever consent is required for data processing, it should be given explicitly.
  • Easier data portability for individuals wanting to transfer their personal data from one service provider to another.
  • Fines of up to €1m or 2% of annual turnover for intentional or negligent failure to comply with certain provisions.
  • A duty on companies and organisations to notify serious data breaches without undue delay, and where feasible within 24 hours.
  • Mandatory appointment of a data protection officer, and a requirement to maintain internal records in relation to data processing activities and procedures.
  • Tighter regulation of the activities of data processors.
  • Regulation of data controllers based outside the EU.
  • A more unified approach across the EU, including a single national data protection authority point of contact for companies, and a right for individuals to refer cases to their home country’s data protection authority.

What has resulted from lobbying for a more risk-based approach?

A large number of amendments are reported to have been proposed during the legislative process, with lobbying by member states, regulators and business interests. On 31 May 2013 the Presidency of the Council of the European Union published an alternative text for consideration by the Council (consisting of ministers from the EU member states). The alternative text seeks to be less prescriptive, offering a more “risk based” business-friendly approach. The alternative proposals include:

  • The qualification of various obligations and exemptions in the original draft to take account of factors such as risk.
  • Mostly replacing “explicit” consent with “unambiguous” consent, except in relation to sensitive personal data. It also proposes that: “Where it is technically feasible and effective, the data subject's consent to processing may be given by using the appropriate settings of a browser or other application.”.
  • Specific measures in relation to “pseudonymous data”, defined as: “personal data processed in such a way that the data cannot be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution”.
  • The 24 hour provision relating to notification of data breaches (see above) is replaced with a 72 hour provision.
  • Amendments to the provisions concerning data controllers and processors that are established outside the EU.
  • The appointment of a data protection officer would not be mandatory, but member states may decide to implement such a requirement.  

A note from the EU Council’s presidency outlines the ongoing nature of the discussions and negotiations at EU level and between member states in relation to the draft. Media reports have suggested that the legislative process has stalled whilst negotiations continue. It remains to be seen whether the EU will be able to agree on a final text. The main question is whether the reforms will ultimately reflect the more risk-based text, and if so to what degree. As the terms of the current EU Parliament and Commission both expire in 2014, it is likely that any reforms will need to be agreed at EU level by May 2014.  

Should businesses and organisations be preparing?

Whilst it is certain that the new law will require businesses and organisations to re-evaluate their data processing procedures and activities, some caution needs to be exercised until the scope of the new law is clearer. There are significant differences in the two texts, and media reports indicate that member states continue to disagree over the form the legislation should take. However, organisations and businesses should in any event be keeping their procedures and data security measures up to date, and the ICO currently has power to issue fines of up to £500,000 for breaches of the Data Protection Act.