Big changes expected as EC publishes data protection review

The European Commission is to publish a draft update to the Data Protection Directive with big changes for organisations that process personal data.

The European Commission is expected to publish a draft of its update to the 1995 Data Protection Directive on 25 January that will bring considerable changes for European-based organisations processing personal data.

The draft revision contains several draconian new data protection requirements, which will be difficult or impossible to implement for many organisations, UK data protection lawyers have warned.

Data protection regulation

Eduardo Ustaran, partner at law firm Field Fisher Waterhouse, said the first significant difference will be the introduction of data protection regulations, as opposed to a directive, to achieve consistent protection across the EU.

Draft documents and various sources in Brussels suggest the EC is set to publish proposals for data privacy regulation which would see a single set of rules imposed for the whole of the European Union.

Data privacy regulation would directly dictate legal requirements to EC countries, rather than leaving room for individual member states interpreting legislation in line with a directive.

“In particular, I expect the new framework to strengthen individuals' rights, increase the responsibilities of controllers and establish the role of data protection authorities and their enforcement powers,” Ustaran told Computer Weekly.

Data breach notification

The revised framework is widely expected to require organisations to notify users and authorities about data breaches within 24 hours.

Information assurance firm NCC Group welcomed the proposed move to the data breach notification requirement common in many US states, but raised concerns about its limitations.

“This is a hugely positive step. We’ve long been calling for organisations to be legally compelled to declare data losses,” said Rob Cotton, chief executive of NCC Group.                    

Companies need to take responsibility for the data they own, and it is vital for end users to be aware of compromised information so they can take protective measures such as changing passwords, he said.

More openness around corporate data breaches will reduce the associated stigma and assist organisations in taking appropriate action faster, said Cotton.

“One concern over the strength of the proposal is that it isn’t just end users and authorities who should be informed of data losses, but all stakeholders. Everyone from end users to investors has a right to be well-informed with regards to the security of a company’s data,” he said.

Right to be forgotten

One of the most contentious proposals will be the new right to be forgotten, said Jane Finlayson-Brown, partner at law firm Allen & Overy.

The proposal says people will be able to ask for data about them to be deleted. Organisations will have to comply unless there are legitimate grounds to retain the data.

Internet users must also give explicit consent to use data about them, be notified when their data is collected, and be told for what purpose it is being processed and how long it will be stored.

“While attractive to users of social networks, it will apply generally and will require many organisations to re-engineer business processes and technologies,” said Finlayson-Brown.

“The question that many people will ask, given the economic climate and the associated costs of compliance, is whether this additional requirement is really worthwhile given that individuals' personal data are so widely and voluntarily made available on the net,” she said.

Regulatory intervention

Despite the EC’s declared aim of cutting red tape, additional red tape pervades the proposals, according to Finlayson-Brown.

In general, organisations can also expected greater regulatory intervention, with wider powers and an expanded role for supervisory authorities such as the Information Commissioner’s Office (ICO) in the UK.

Firms that fail to comply with the proposed new rules will be fined a percentage of their global revenues, although the exact level is not yet clear, with reports ranging from 1% to 5%.

“By linking fines to company turnover and adding an obligation to notify data breaches, data protection compliance promises to grab the attention of board-level executives,” says Finlayson-Brown.

Maintaining balance

However, Liz Fitzsimons, senior associate at international law firm Eversheds, says it is important that the new data protection rules are future-proofed to achieve a suitable compliance regime for the 21st century.

Regulators must carefully balance the need for suitable protection of privacy and rights with ensuring compliance is realistic and achievable, she said, in the context of rapid advances in technology, the increasingly complex global use of electronic data, data proliferation and the novel ways developed by businesses to better harness data value.

“For many countries and organisations the new data protection regulation will impose material changes in approach. At a time when trading is vulnerable and enterprise needs to be encouraged, it is hoped that the right balance has been achieved,” she said.

Once the draft is published, the proposed rules will need to be approved by the EU's member states and ratified by the European Parliament, which means it could take at least two years before they come into effect.

Read more on Privacy and data protection