Next year could see one of the biggest changes to the economic and legal environments of Europe in general – and the UK in particular – as the EC data privacy directive looks set to be replaced with regulation, according to data protection lawyers.
Draft documents and various sources in Brussels suggest the European Commission is set to publish proposals for data privacy regulation which would see a single set of rules imposed for the whole of the European Union.
Data privacy regulation would directly dictate legal requirements to EC countries, rather than leaving room for individual member states interpreting legislation in line with a directive.
Once published, the proposal is unlikely to meet any opposition from the European Parliament, which has long supported the idea of regulation around data privacy, said Stewart Room, partner at law firm Field Fisher Waterhouse.
The changes will have important economic repercussions, particularly for the UK, which US companies have traditionally favoured as a European base because of its liberal attitudes towards data processors.
“While the regulation we are seeing coming down the line will not send all foreign companies rushing for the door, it will certainly prompt many to rethink their longer term strategy,” said Room.
The financial impact does not stop there either, said Eduardo Ustaran, partner at Field Fisher Waterhouse. New rules are likely to include requirements for privacy-by-design and privacy-by-default.
“We also expect compulsory risk assessments and compulsory in-house data protection officers for all but the smallest of companies, certainly all companies from an SME level up,” he said.
While the need for just about every company to employ someone in the role of data protection officer may go some way to redressing the problem of unemployment facing most economies, it will place additional financial burden on many companies, particularly smaller ones, said Room.
In addition to the financial shake-up, the introduction of data protection officers to just about every company will make an impact on the traditional roles of chief information office and chief information security officer as the data protection officer will probably have greater, over-arching power, he said.
The envisioned regulation also poses a direct threat to new revenue streams and business models that rely on businesses being able to get the most value out of the data at their disposal.
"Data is the new gold; Google was the first to spot and exploit this and others will follow, so we must be careful the new regulation does not kill this massive hope for our economies. It is crucial that the regulation gets the balance right between preventing Big Brother and maximising Big Data," said Ustaran.
According to Room, European Commissioners believe what they are doing is right. But he said that, as children of the war generation, they are inherently conservative and tend to see the worst in everything.
“European bureaucrats are disconnected by age from the priorities of younger generations; their pessimism is what is driving their actions, despite the fact there is no evidence that things are as bad as the bureaucratic rhetoric claims,” he said.
Finally, there is also the risk that the proposed regulation will disrupt the supply chain in cloud computing by making everyone directly accountable for data privacy, said Room, which means if any one element of the chain is feeling the heat, they will run to the regulator to save their own skin.
The present regime requires co-operation between cloud service providers and their customers. But Room said direct responsibility of all for data privacy will destroy that collaborative approach and could break up the supply chain. It might even push up the cost of cloud computing because of increased risk, he said.
Room and Ustaran said that what the European Commission intends to impose through proposed data protection regulation will take Europe back to 1970s ideas of how business should be regulated, with data protection officers in every company being the ones who will typically say “no” to any business innovation around data relating to individuals.