The European Union’s proposed General Data Protection Regulation will not make life easier for companies.
But there is good news. Ian Walden (pictured), professor of information and communications law at Queen Mary, University of London, will reassure delegates at the 2015 Data Governance Europe conference in London in May that their jobs are safe.
There will be plenty to do after the regulation is implemented, he will say in a keynote talk, ‘Can we see clearly yet? Data protection reforms’.
The regulation has been a long time coming. In January 2012, the European Commission revealed the draft of the regulation, which will replace the 1995 Data Protection Directive. As a regulation, it will be EU-level law – not, as with a directive, something to be implemented by each member state. Each national regulator, such as the Information Commissioner’s Office in the UK, will oversee the same regime.
The EU’s European Council has been aiming for adoption of the regulation in 2015, but years of discussion have combined to make that unlikely. “There is a gap between what the Council wants, which is data controller-friendly, and what the [European] Parliament wants, which is more friendly to data subjects, or citizens,” says Walden.
“There will need to be some concessions on both sides. And, once implemented, there will be a greater need for co-ordination among the regulators in the member states. That will take time.”
Although it seems the “one-stop shop” approach, to be incorporated in the new regime, will be a boon to non-European – particularly US – companies, it will not be so straightforward, says Walden. If a data subject in France has a complaint with a company whose main European establishment is in the UK, where will he or she go?
For more on EU data protection regulation
- How preparation needs to start now for imminent European data protection changes.
- Where next, asks Warwick Ashford, for the new EU data protection regulation?
- A guide to what the proposed European Data Protection Regulation means for European businesses.
It would be easier to lodge the complaint in Paris, but the new regime would suggest the Information Commissioner’s Office in Wilmslow.
But what if, in the meantime, the UK votes to leave the EU in a referendum? Or what would be the impact of a referendum, and its preceding negotiations by a newly elected Conservative government?
“The UK is recognised as having a liberal data protection regime," says Walden. “A prospective UK pull-out will not be good news for UK business in relation to ensuring that the final regulation will be suitable. The country’s negotiating stance would be undermined.”
In the meantime, the course of European case law has been effecting change. The ‘right to be forgotten’ that the new regulation was to have enshrined has turned out to be encoded in existing European legislation – the 1995 Data Protection Directive – after all.
The European Court of Justice’s May 2014 ruling against Google, following referral of a case from a Spanish court, means that privacy trumps not only the search engine company’s private corporate interests, but the more general public good of having access to comprehensive sets of search results.
“To me, that was a surprising verdict, based on scant analysis,” says Walden. “It has a potential chilling effect on freedom of expression.”
He also expresses discomfort with the notion that data subjects should own their own data in a legal sense, able to trade it as a commodity for their own commercial gain. “By making information property, you reduce access to freedom of expression,” he says. “It has implications for newspapers publishing information, for example, which becomes theft or expropriation if personal data is deemed to be property.
Personal data as property
“Personal data does not fall within traditional concepts of property; it can also be public, like the electoral roll, for instance. Even if you argue that data does have property-like characteristics, in that you can control it – having it erased, say – you don’t own your personal data. It is important not to give people unrealistic expectations.
“And enthusiasts [for owning and trading one’s own data] tend to be sophisticated in ways that are not true of most people, who are just not interested in this kind of thing.”
Meanwhile, data management professionals will see their roles become “more front and central” in their corporate organisations, says Walden. “If you say that intellectual property and personal data are the top assets of companies now – the new fuel – and if you have a comprehensive legal regime to protect the former, why not the latter?”
Whatever the final shape of the General Data Protection Regulation, says Walden, “this is not going to be easier for companies”. He adds: “It is nonsense to think it will reduce bureaucracy. If anything, there will be more compliance burdens on data controllers and data processors.
“And whatever the precise scale of fines for non-compliance, it will be very significant – 5% of global annual turnover, as proposed, is significant. Under UK law already, a data subject no longer has to show economic loss, just ‘distress’.
“US companies targeting EU citizens, in particular, will have to take data protection more seriously, although ongoing negotiations between the US and EU over a common data protection framework may take even longer than reaching agreement over the Regulation.”