Revised EU data protection in effect already, says lawyer

Proposed changes to European Union (EU) data protection laws are already in effect, says privacy lawyer Stewart Room

This article can also be found in the Premium Editorial Download: CW Europe: CW Europe - July 2014 Edition

The proposed EU data protection legislation may still be a long way from becoming law, but principles are already in effect, according to privacy lawyer Stewart Room.

“Regulators and courts throughout Europe are acting as if the proposed legislation were already in force,” he told the SC Congress in London.

Room said regulators and courts are interpreting existing data protection laws in the light of the European Commission (EC) proposals.

The recent landmark ruling by the European Court of Justice against Google in support of the controversial right to be forgotten is an example of this, he said.

Take-down requests were reportedly submitted to Google within a day of the court ruling that people could demand "irrelevant or outdated" information be deleted from search results.

According to Room, the Google ruling is significant because it proved that all those, who thought that just having a sales office in Europe meant they were free of the obligations of a data controller, were wrong.

“The ruling shows that anyone with power over data will be treated as a data controller, not just a data processor, which is something Google did not anticipate,” he said.

It has also demonstrated that European authorities have no fear in tackling big-brand companies such as Google, which could be a “game-changer”, said Room.

“This fearlessness can also be seen in the decision by European regulators to launch intensive investigations into eBay, following its recent data breach,” he said.

ICO adoption of proposed measures

Room said that, if the proposed data protection regulation is passed into law, the only real change they will add is the unprecedented fines of up to €100m or 5% of global turnover, said Room.

“Other than that, it does not really matter if the proposals are passed or not, with regulators and courts already acting according to the new thinking embodied in them,” he said.

Even the UK’s privacy watchdog is acting as if the proposed laws were already enforced, said Room.

The Information Commissioner’s Office (ICO) is already issuing warnings that it will punish organisations that fail to disclose serious data breaches involving personal information, he said.

Data breach disclosure

In the light of these de facto changes, Room said it would be “highly risky” for organisations to attempt to bury significant data breaches. “Expect a lot more breach disclosures in future,” he said.

Room said Europe risked “notification fatigue”, as has happened in the US, where data breach notification is already mandatory.

Some US organisations are already treating data breach notification as a defensive mechanism to deflect heat and get lost in the noise of data breach notifications, he said.

Room also advised companies to ensure they communicate with suppliers around the issue of data breach notification.

“While most firms will want avoid being tainted by data breaches, there is the risk of suppliers wanting to be the first through the door, but it is not good if someone in your supply chain goes to the regulator without telling you first,” he said.

At Infosecurity Europe in May, David Smith, deputy commissioner at the ICO, advised companies to get their house in order under the current law.

Read more on Privacy and data protection