The proposed EU data protection legislation may still be a long way from becoming law, but principles are already in effect, according to privacy lawyer Stewart Room.
“Regulators and courts throughout Europe are acting as if the proposed legislation were already in force,” he told the SC Congress in London.
Room said regulators and courts are interpreting existing data protection laws in the light of the European Commission (EC) proposals.
Take-down requests were reportedly submitted to Google within a day of the court ruling that people could demand "irrelevant or outdated" information be deleted from search results.
According to Room, the Google ruling is significant because it proved that all those, who thought that just having a sales office in Europe meant they were free of the obligations of a data controller, were wrong.
Read more about EU data protection
- Essential guide: EU Data Protection Regulation
- Legal briefing: The Draft EU General Data Protection Regulation
- EU Data Protection Regulation: fines up to €100m proposed
- MEPs adopt draft reformed data protection rules
“The ruling shows that anyone with power over data will be treated as a data controller, not just a data processor, which is something Google did not anticipate,” he said.
It has also demonstrated that European authorities have no fear in tackling big-brand companies such as Google, which could be a “game-changer”, said Room.
“This fearlessness can also be seen in the decision by European regulators to launch intensive investigations into eBay, following its recent data breach,” he said.
ICO adoption of proposed measures
Room said that, if the proposed data protection regulation is passed into law, the only real change they will add is the unprecedented fines of up to €100m or 5% of global turnover, said Room.
“Other than that, it does not really matter if the proposals are passed or not, with regulators and courts already acting according to the new thinking embodied in them,” he said.
Even the UK’s privacy watchdog is acting as if the proposed laws were already enforced, said Room.
The Information Commissioner’s Office (ICO) is already issuing warnings that it will punish organisations that fail to disclose serious data breaches involving personal information, he said.
Data breach disclosure
In the light of these de facto changes, Room said it would be “highly risky” for organisations to attempt to bury significant data breaches. “Expect a lot more breach disclosures in future,” he said.
Room said Europe risked “notification fatigue”, as has happened in the US, where data breach notification is already mandatory.
Some US organisations are already treating data breach notification as a defensive mechanism to deflect heat and get lost in the noise of data breach notifications, he said.
Room also advised companies to ensure they communicate with suppliers around the issue of data breach notification.
“While most firms will want avoid being tainted by data breaches, there is the risk of suppliers wanting to be the first through the door, but it is not good if someone in your supply chain goes to the regulator without telling you first,” he said.