EU data protection framework: is it good news for business?

EU Justice Commissioner, Viviane Reding, claims it was good news for business. But will onerous requirements outweigh the benefits?

EU Justice Commissioner, Viviane Reding, claimed the draft new European data protection framework is good news for business because it removes the uncertainty and costly administrative burden created by a patchwork of data protection laws and data breach notifications.

"My proposals will help build trust in online services because people will be better informed about their rights and have more control of their information. The reform will accomplish this while making life easier and less costly for businesses,” she says.

Under the new proposals, companies will have to deal with only one set of data protection rules and be answerable to a single data protection authority: the national authority in the EU country where they have their main base.

In theory, then, the aim of the EU’s data protection reform is to modernise, simplify and strengthen the data protection framework to unlock the full potential of the single market and foster economic growth, innovation and job creation. But will it?

Former UK Information Commissioner Richard Thomas  praised the European Commission’s shift away from paper-based, bureaucratic requirements towards compliance in practice, genuine harmonisation and individual empowerment, but he said there are real risks that new bureaucratic burdens will be created and that some proposals will be very difficult to implement in practice.

Jane Finlayson-Brown, partner in legal firm Allen & Overy's data protection team, says that while the EC has clearly reacted to many of the concerns raised over the an earlier leaked version of the draft, the latest draft still includes a number of draconian requirements for businesses that will be difficult to implement for many and which are at odds with pledges to cut red tape and reduce costs to businesses.

Under the new rules, for example, all UK companies that suffer a security breach will have to inform the Information Commissioner within 24 hours of discovering a breach. Companies with more than 250 employees will have to appoint a privacy officer and corporations risk being fined up to 2% of their global turnover for failure to adequately secure citizens’ information. In addition, in a new “right to be forgotten” ruling, customers can request details of the information that companies hold about them and ask for it to be amended or removed.

In an attempt to introduce more flexibility the EC has blurred some of the original tough, but clear requirements. “This is bad for everyone and will create uncertainty. We would expect, and hope for, more changes as these proposals continue to be debated,” says Finlayson-Brown.

Businesses operating in more than one EU country will, however, welcome the fact that they will be subject to oversight from one supervisory authority rather than multiple authorities, she says.

Stewart Room, partner at legal firm Field Fisher Waterhouse is sceptical of the claim that the new regulation will simplify the compliance load for business, or that it will help to unlock the single market to achieve economic growth. 

“While there are some bureaucracy-reducing initiatives within the regulation, such as simpler notification procedures, these do not counteract the effect of new rules on consent and transparency, accountability, risk assessments, privacy by design, data portability and the right to be forgotten, which will add substantially to the cost of doing business,” he says.

This, says Room, added to the new rules on enforcement and sanctions is likely to cause businesses to be more cautious about data processing, with an obvious stifling effect on innovation “It is also important not to forget what is actually behind the regulation, which is an aim to transition from light touch to heavy touch regulation; tougher regulation does not sit well with a liberal economic agenda."

According to Stephen Midgley, vice president of global marketing at security firm Absolute Software, the proposed financial penalty of 2% of global turnover could leave businesses reeling.“In our experience, very few companies are able to say where their data is at any one time and as such, new and more aggressive legislation could leave thousands of businesses open to financial penalty."

Enforcing 24-hour mandatory reporting of security breaches will put significant pressure on organisations to speed up internal security auditing processes and adopt more effective tools for managing and analysing risk, says David Fowler, chief operational officer at security firm Courion.

The new rules will have an enormous impact on how companies and websites look after users’ personal data, said Lior Arbel, director of strategic data security, Websense.

“This will mean that any customer records and internal human resources lists will have to comply with the new rules, and companies will need to be able to demonstrate how and why they are using personal data,” he says.

Despite the EC claims that the new data protection framework will make things easier for businesses, in its current form, it imposes a lot of burdens and restrictions too.

In the light of these new burdens, some commentators the hope that just as the draft proposals published on 25 January were improved from the version leaked late in 2011, the version that is ultimately adopted is amended further still.

However, the chances for revision are likely to be limited, according to data protection lawyers. “We understand that in the weeks following the leak there was intense dialogue between the Institutions of the EU who are involved in the regulatory reform process, so one can assume that the version published on 25 January is one that the key stakeholders have signed-up to,” says Stewart Room.

For this reason, the scope for serious revisions will depend on the reaction of the EU Member States and whether they feel it is worth their while trying to achieve changes, he said, although there is some hope around the controversial breach disclosure requirements.

“A sporting bet could be placed on the new breach disclosure rule being changed, to match the one that was introduced for telcos and ISPs in 2009; the 24 hour period for reporting breaches to the regulators makes no sense and may be counterproductive, so if the security community get the bit between their teeth they might be able to persuade the EU to adopt the ‘without undue delay’ approach that applies for telcos and ISPs,” says Room.

Considering that significant compromises on the most demanding requirement set out in the draft proposal, most UK companies will have a lot of work to do to ensure they can comply.

The good news is that the proposals will now be passed on to the European Parliament and EU Member States meeting in the Council of Ministers for discussion and will take effect about two years after they have been adopted as national governments will have to agree to the proposals before any rules are enforced.

This will give companies time to get their affairs in order, but none should delay as it may take time for some businesses to implement robust policies around access to and storage of the sensitive data that they handle as part of their day-to-day business.

Companies will also need to consider limited access to data or using secure document management applications to ensure data cannot be shared beyond a pre-defined circle of devices, and in the event of mobile devices being lost or stolen, businesses will need to implement fail-safe solutions to lock down and wipe data.

For businesses and other organisations that handle personal data and are not currently in full control of their data, there is no time to lose. Failure to act now, could have serious financial consequences a few years on.

Read more on IT legislation and regulation