The New Data Protection Regulation – An Opportunity Missed

27 January 2012

 

 

The contents of the document weren’t entirely unexpected, partly as a result of various clues and hints that had emerged from DG Justice over the last year or two, but also because a draft of the Proposal was leaked and had been circulating on the Internet since December. This leaked draft had sent shock waves through much of the business community, particularly high tech industry, as it seemed to be an utterly uncompromising piece of legislation written entirely from the point of view of individuals whose data is being processed. With fines of potentially up to 5 per cent of worldwide turnover and an obligation to notify individuals within 24 hours of any breach affecting their data, it didn’t appear to pay much heed to the interests of business or the need to continue growing the internet economy.

Would the “official” regulation contain similar horrors?

What finally emerged on the 25 January has changed quite significantly with many of the most controversial issues in the leaked proposal having been watered down – a bit. In some areas the changes are modest – the maximum fines are now ‘merely’ 2 per cent of worldwide turnover rather than 5%, which is still disproportionately high and there is now a slight exception with respect to breach notification within 24 hours if feasible – but overall it appears that the Commission has made some attempt to listen to many of the criticisms. What isn’t clear is whether the changes are, as many would hope, the result of strong and effective lobbying by industry groups, particular high tech industry, or the result of the many internal criticisms of the leaked Regulation from within the Commission itself, which ironically in a data protection discussion were also leaked. Whatever the reason for the softening, things have got better, but can one yet say – as the Commission is saying – that the Regulation is good for business?

Not yet. There’s still some way to go. While it’s fair to say that the much of the existing paperwork and external bureaucracy around data protection has been reduced; that is, there are fewer filing requirements with individual country data protection authorities, there is the possibility that this is replaced for many businesses with an even greater internal bureaucracy, with businesses having to develop and document new compliance processes incorporating privacy impact assessments and the like. All good for lawyers but for small businesses? Does a business as small as 250 people really need the additional burden of having to employ a data protection officer? Under the latest proposal they do.

And what of the US multinational, good for them? In parts. Not having to comply with the slightly differing laws of 27 different countries is a positive step (this being the main benefit of a regulation being used rather than a Directive) – harmonisation is good. But surely it depends on at what level that harmonisation takes place? Exporting sensible, measured compliance obligations EU-wide – good. Exporting some of the more draconian and unworkable requirements of certain EU countries’ existing laws – bad. In other words, it depends on at what level the harmonization occurs.

But perhaps the most frustrating aspect of the proposed regulation is the opportunity missed. The review of EU data protection laws was  justified by the Commission on the grounds that the world of technology had moved on, and that new developments such as cloud computing, social networking, mobile apps and so on meant that existing EU law was no longer fit for purpose. This is true, but what it should mean is that any proposed replacement deals adequately with these technologies, which doesn’t mean simply writing overly prescriptive laws that make life extremely difficult for many of today’s most successful internet companies.

Is it really realistic in a time of ubiquitous data sharing around the world to cling to an export ban on moving personal data out of the EU? While there are exceptions to the ban under the new Regulation, as there are under the existing laws, they are still largely formalistic, clunky, paper-heavy approaches. If new technologies are challenging data protection laws, such that they really need a comprehensive overhaul, then isn’t it time for a comprehensive re-think too?

Any such re-think has to ask what is better for individuals too? The answer is surely a “good” level of data protection compliance by greatest possible number of organisations handling information about them. The assumption that this is achieved by setting the bar as high as the Commission can get away with and have maximum fines that are truly frightening has to be questioned. Isn’t it time for simpler, less prescriptive, more realistic (yet still robust) obligations that can be understood by the average business man?

When personal data processing has become as ubiquitous as it now is then isn’t it time for at least some understanding of how to handle information about people to become ubiquitous too? Surely it is. And is the draft Regulation the best way to achieve this? Surely not.

Dr Mark Watts, data protection partner, Bristows