Will proposed changes to European data protection law prove unworkable?

Data protection law in Europe is set to change, but it remains unclear if all proposals are workable

Data protection law in Europe is set to change. The European Commission is determined to achieve Europe-wide agreement on proposals that will transform our approach to data protection compliance. If all goes to plan, these proposals will be finalised within the year.

The proposed measures include a number of welcome changes. The recommendation for a single data protection regulation across Europe should provide greater harmony and avoid navigating inconsistent, individual country laws.

That said, as we draw closer to the final stages, a number of significant concerns persist about the proposals in the EU data protection regulation. 

The UK government, in particular, has been vocal in its criticism of some of the key measures, demonstrating how these are likely to prove onerous, costly and, in some cases, simply unworkable.

Right to be forgotten

One of the core proposals in the regulation that has generated criticism in the UK is the right to be forgotten. This measure would allow people to get their personal information removed from websites that link to or reuse this information. The right applies not just to websites, but to any personal data where it is seen as being held for longer than needed or where the person the information is about no longer consents to this information being available.

The problem is, the right to be forgotten is likely to promise more than it is ever capable of delivering. 

The exemptions to the right to be forgotten are wide in scope – data needed for purposes of freedom of expression, public interest in health and historical, statistical, research and legal reasons are excluded. There is also no guidance on when these exceptions might apply, so businesses will have to go through the exercise of deciding internally, which may produce inconsistent and controversial decisions.

The crucial question is how businesses will comply with this right to be forgotten.  

In many cases information is republished, copied or scraped and reused by others. On paper, the right requires that a business must not only delete the information it has, but also communicate the deletion request on to any others who have published this content. In practice, this may mean businesses become bogged down in the administration of locating and formally contacting a wide range of third parties – over whom they have no control.  

Those who simply believe that the proposed right will deliver a quick and effective removal of their information across the internet may need to think again.

Notification of security breaches

Another proposal in the draft regulation causing concerns is the obligation on businesses to notify regulators and individuals about security breaches. This is, without a doubt, an important and necessary obligation if businesses are to take the implications of failing to safeguard personal information seriously. 

However, there are a number of practical issues causing alarm to both businesses and regulators. 

As the draft regulation currently stands, any business that suffers a security breach must notify the regulator not later than 24 hours after becoming aware of the breach – or provide a reasoned justification where the notification is not made within 24 hours. 

Where a breach is made by a third-party service provider processing data, then the client should be informed immediately after the breach is established. Also, where any breaches are likely to adversely affect individuals, then these individuals should be notified without delay after the business has informed the regulator.

The proposals around reporting raise a number of concerns. These include:

  • The timings
    The need for third parties to "immediately" notify their clients or for businesses to notify the regulator within 24 hours are unclear and unrealistic. In practice, establishing if and how a breach has occurred may take longer than these timescales to understand.
  • The type of breach
    Any breach, however trivial, must be reported, creating a huge administrative burden.
  • The circumstances
    It is unclear why the regulator should learn of a breach before affected individuals, or how it is decided when there is an adverse effect on individuals, meaning they should be alerted.

It remains possible that these and other contentious proposals in the EU data protection regulation will be clarified, amended and brought into the real world in the next draft. Any failure to tackle the workability of these proposals may yet undermine the positive benefits the regulation will undoubtedly deliver.

Sally Annereau is a data protection analyst at international law firm Taylor Wessing.

Read more on Privacy and data protection