As the EU updates its regulatory regime, Eduardo Ustaran argues that data protection compliance could be about to get more onerous
What do the collapse of Barings Bank, OJ Simpson’s trial and the European directive on data protection have in common? Answer: they all happened in 1995, well before Google, Facebook, iPhones, apps, cloud computing and the internet as we know it.
An obvious conclusion follows: the current data protection regime is no longer fit for purpose. At least, that is the message the European Commission has been hearing since it started its data protection legislative review process two years ago.
Now we are close to seeing a radical new framework. The proposal for a 21st-century data protection law is still in the making in Brussels’ corridors of power, but we can make an informed guess of what we will be presented with.
Much of the debate surrounding this process so far has been about the form the new framework will take. If, as has been made patently clear, the primary objective of the reform is to achieve the greatest possible degree of harmonisation the commission is likely to favour a regulation over another directive.
The effect of this would be a single piece of legislation immediately applicable across the EU without the need for implementation at a national level. If the clumsy implementation process of the revised e-privacy directive is anything to go by, the prospect of a regulation is highly possible. However, even a regulation would be enforced at a national level by each data protection authority, so an element of local interpretation will remain.
A crucial building block of the regime will be the rules determining the applicability of the law. For EU-based organisations a regulation would solve the problem of multiple national laws. The ’country of origin’ principle seems to be the way forward in terms of determining the competent data protection authority.
The big change in this respect will be for overseas organisations, which will find themselves subject to EU law when they target people in Europe, for example by employing them or marketing to them.
The right to be forgotten
With regard to the substantial content of the new framework we should expect some far-reaching tweaks to existing principles as well as some important novelties. An objective of the new legal framework will be to give greater control to individuals.
The cornerstone of this, as trumpeted by EU justice commissioner Viviane Reding, is the so-called ’right to be forgotten’, which is meant to allow individuals to get their personal information removed from publicly available platforms such as networking sites and other websites.
However, the huge two-fold difficulty with extending this beyond the current right to object is how to reconcile it with the freedom of others to disseminate information and the intermediary roles of those who act as conduits for this information.
As for transparency and consent we must prepare ourselves for some clever attempts to make these two aspects truly meaningful. Once again, the emphasis will be on putting people in control, but let us hope that the commission’s efforts to make legal obligations clear-cut do not translate into unachievable targets such as an unqualified interpretation of consent as prior, express opt-in and nothing else. At the very least, it is reasonable to assume that the legal grounds for processing personal data will continue to include – and possibly expand – the legitimate interest condition to justify such processing.
However, for most organisations the key new ingredient will no doubt be the accountability package. This will comprise a range of practical measures – from mandatory data protection officers to privacy impact assessments, and possibly internal audit and training requirements – that, for the first time, will make their way into the letter of the law on an EU-wide basis.
An outstanding question is to what extent this will be linked to provisions affecting international data transfers. The commission is likely to retain some restrictions but widen the mechanisms available to ensure that such transfers are lawful.
The effect of this wholesale reform should not be underestimated. Today’s information-hungry society needs a regulatory framework that addresses the dangers of poor data management while fostering digital innovation. To achieve that we need laws that promote good data protection practice in a viable and pragmatic way.
The greatest hope is that EU legislative bodies craft a regime that shows the benefits of data protection for all and encourages compliance not just for the sake of it, but for the good of the future generations.
Eduardo Ustaran is a partner at Field Fisher Waterhouse