Data protection law is about to undergo the most fundamental change in 15 years. The EU’s Justice Commissioner, Viviane Reding, announced in January a proposal for reform of the EU data protection regime. If passed into law, the proposed changes would require businesses to make some significant changes to how they currently process and use personal data. The new rules will represent nothing less than a complete overhaul of the current data protection regime.
Assuming the proposed reforms are adopted, we estimate that many of the changes will not take effect until 2015 at the earliest. Thankfully, this gives businesses a reasonable period of time to explore how they can integrate the legal changes into their operations with minimum disruption. Of course, the far-reaching implications of the new rules mean that significant lobbying from interest groups is now likely to occur even though the measures were published after a long public consultation.
What are the Key Points for your Business?
- A single European Data Protection Regulatory Framework is proposed. This will involve repealing the 1995 Data Protection Directive which is in current operation and replacing it with a Regulation that will be automatically effective in all EU member states. This means that, unlike the Data Protection Directive, member states will not need to implement their own laws to transpose the new measures. This change is significant and aims to ensure that the same law applies across the EU, as currently the implementation of the Data Protection Directive can differ across member states. However, this uniformity may not be easily achieved given that the regulators of each member state may still adopt and apply different interpretations of the new law.
- Increased fines will be available to national regulators, on a sliding scale of up to €1 million, or up to 2% of a company’s global turnover in serious cases. Even for businesses which had feared that a 5% fine was in the pipeline, this is clearly a ‘game-changing’ provision aimed at ensuring data protection compliance is taken seriously.
- The introduction of a new ‘right to be forgotten’ will be of particular interest for businesses in the social media space but is not limited to that area. If a customer contacts you to ask you to remove their details from your database, you will be obliged to do so unless you have a legitimate reason to retain their data. This is likely to be one of the most controversial aspects of the regulation and will be the subject of much lobbying.
- The introduction of a ‘right to data portability’ for data subjects will mean customers must be able to receive data from businesses in a way that allows them to move it freely (for example in a commonly used format such as PDF). This, no doubt, will impact on suppliers of cloud-computing services who may need to redesign their storage systems to allow easy data extraction.
- Businesses with more than 250 employees, as well as some other personal data-intensive businesses, will be obliged to appoint a Data Protection Officer for a minimum two-year term. They will also be obliged to resource that person to enable him/ her to carry out their functions. Again, this is likely to attract a great deal of attention from lobbyists, given the potential cost of compliance.
- Companies will only need to deal with a single data protection regulatory authority in the member state in which they have their main establishment. Many technology companies involved in foreign direct investment, have based their European, Middle Eastern and African headquarters in Ireland. Under the new regime, the Irish Data Protection Commissioner will be their data protection regulator. This change should be beneficial for multinational companies with a trans-European presence as they should no longer have to deal with multiple data protection regulators.
- Rules on consent will be considerably enhanced, with few opportunities for data controllers to rely on implied consent. This development has already attracted criticism as, while it is a truism that consent is key to data protection compliance, consumers often express frustration at being repeatedly asked for consent in their interactions with businesses. Conducting business online and electronically will become less dynamic and more cumbersome in the absence of implied consent.
- The introduction of a mandatory security breach notification obligation to data protection regulators, which may need to happen within 24 hours of an organisation becoming aware that a breach has occurred. Anyone who has ever been involved in a large-scale security breach will know that this can be extremely onerous. In many cases, several days can elapse while the scope and extent of the breach is being determined.
- The introduction of a ’privacy by design’ principle will mean that data protection safeguards must be taken into account at the planning stage when companies are designing products and services. Systems currently in design will need to be future-proofed to ensure they meet the requirements of the new regime, taking account of the new rights such as the ‘right to be forgotten’ and ‘data portability’.
Data protection law is about to undergo the most fundamental change in 15 years. If you regard personal data as a key driver for your business, or if your business holds a significant amount of personal data, then you should start considering whether you need to change existing data protection policies and procedures. You will also need to consider how to design and future-proof products and services to ensure compliance with the new rules.
For more information, please contact:
|Peter O’Neill||Senior Associate, Commercial||t: +353 1 614 5888||e: firstname.lastname@example.org|