In this age of increased cross-border litigation the landscape of data protection is changing, and new legislation is on the EU launch pad
The law on data protection is widely held to be outdated in a world of social media and mobile apps, so the EU is proposing a revamped regime. Here, experts in the field discuss the changes – are they really needed; will they work?
Technological developments such as cloud computing, social networking and mobile apps mean EU law is no longer fit for purpose.
The EU claims current laws often conflict and cost businesses a total of nearly £2bn a year. It is widely accepted that present laws do not reflect the way huge amounts of personal data are transferred around the globe in fractions of seconds.
Guests at the latest The Lawyer Briefings Live event were treated to a bout of extended intellectual jousting between a lively panel debating the topic of data protection and what the proposed new European regulatory regime might hold for high-end users and the legal sector.
As Data Governance Forum founder and chair David Reed said in his introduction, people are in turn “baffled, concerned and excited” by the proposals, and, with cross-border data transfers and litigation on the increase, data protection is rising up the agenda.
The event tackled proposals on data protection regulation that could impose eye-watering penalties of up to 3 per cent of worldwide turnover on companies for breaching the rules, which would apply across the EU and impose German-style obligations.
Other members of the panel debated the merits of the proposals, asking how companies can address the challenges of data transfer protocols such as ‘safe harbour’ and ‘the right to be forgotten’.
The hook of the debate was January’s European Commission proposals for an updated data protection regime.
Companies, particularly those using data in hi-tech industries that need to grow in the internet economy, have expressed concern at what they feel is a piece of uncompromising legislation weighted heavily in the favour of the general public – the people whose data is being processed.
One issue the panel got stuck into was the requirement under the proposals for small and medium-sized businesses to employ data protection officers (DPOs).
Any company that handles personal data and has a staff of 250 people or more must appoint a DPO, yet as one panellist points out, there are 8,500 such businesses in the UK and fewer than 900 trained people registered with the International Association of Privacy Professionals.
Do it for Homer
The emphasis is on compliance, but another panellist suggests this aspect of the legislation “brings the whole thing into disrepute”.
“It needs to be simple – for people like Homer Simpson to understand,” said data protection consultant and former Everything Everywhere data protection head Martin Hoskins. “We must get away from having ‘high priests’ of data protection”.
External bureaucracy around data protection will be reduced with the new regime, it is claimed, because of a EU-wide set of rules that will be easier for the US to comprehend when dealing with cross-border data transfers, but there is the potential for more internal paperwork for businesses.
A welcome contributor was Dave Evans group manager, business and industry, at the Information Commissioner’s Office (ICO), who was able to provide a regulator’s point of view. He has spent the past two years on cookie regulation and runs the team the deals with the data-heavy private sector.
Evans suggested that what will end up in law is not what is in the proposals as they have to go through the “sausage machine” of ministerial amendments.
He questioned the description “German-style regulations” as there is still a long way to go before the proposals become law. He said there is no great push for or against the proposals, despite some amendments, but interested parties must keep up to speed, especially after the scramble to comply with cookie rules.
“There are lessons to be learned from the cookies rules,” Evans advised. “Everyone buried their heads in the sand, but then had to comply.”
You cannot be serious
Hoskins took a different line.
“I’m quite relaxed about what we have seen,” he confessed, “because [the proposals] are so awful they’re not going to go anywhere at all. Since January 25 they’ve been slashed and different provisions put in. My worry is that too many people are taking it too seriously.”
Yet the lawyer on the panel struck a note of caution.
Speechly Bircham partner and head of data protection and information security Robert Bond advises on compliance on cross-border litigation. He also deals with children’s privacy issues and managing their data protection online.
Bond admitted: “As a lawyer, confusion is the enemy and I’m struggling on how we do this. But if you think it’s going to go away, it’s not.”
Bond was more in tune with Evans’ stance than Hoskins’, claiming “large sections” of the proposals will become legislation, although he says some may be “watered down”.
With an audience made up of in-house lawyers from big-name brands in areas such as telecoms, pharmaceuticals and publishing, Bond warned of the damage a breach of data protection legislation could do to reputation – never mind the 3 per cent of turnover fine.
“We have wise consumers,” he reminded participants, “so a breach can hugely damage trust and brand. We can’t afford to pretend we don’t have a law and don’t have to comply.”
The panel then turned to punishment, where Bond ventured that the US has a simple view on legislation for breaches of data protection.
He said that Americans tend to ask ‘where’s the two-by-four – the thing that shows me I’ll get crucified if I break the rules?’, adding that if the fines are not high enough compliance will slip down the priority list.
Nigel Murray, specialist in e-disclosure and managing director of management consultancy Huron Legal, thought the suggested level of fines was “focusing minds”.
The counter-argument is that the emphasis should be on encouraging compliance by imposing simpler obligations rather than scary fines.
Hoskins made the point that for global brands such as mobile phone operator Everything Everywhere – for whom he was head of data protection – their customers are their greatest asset so they impose the highest possible standards of data protection internally.
Next on the agenda was the ‘right to be forgotten’ rule contained in the proposals, where consumers can ask companies to delete anything published online about themselves, or personal data held by a business.
Companies must also notify anyone affected by data breaches as soon as possible.
There have been concerns raised about the cost of the process, particularly with large-scale hacking.
Hoskins bluntly dismissed the ‘right to be forgotten’ as “a soundbite” and asked: “How is it going to change the world?”
Bond suggested that aspects of the regulations have been a “knee-jerk response” by people who view social media as the “work of the devil”.
The problems of data protection in social media are more of a “perceived harm” than a real risk, agreed the panel.
Binding corporate rules (BCRs) in the proposals allow multinational companies to transfer personal data outside the EU, but Hoskins took a hard line.
“They are brilliant for lawyers with brains the size of planets,” he said, arguing that a good BCR will give a firm six months’ work. “But if you’re paying for this, be careful. It’s a lovely idea, but is it achieving much?”
Hoskins said there are only 23 global companies with BCRs and Evans added that most have been approved by the ICO. They basically add up to “safeguard and protect data”.
Is it safe?
The debate then moved on to ‘safe harbour’ principles – a streamlined process for US firms to comply with EU rules.
Again, Hoskins was cynical and said there are “more boats on the Thames” than companies signed up.
“We already have a global way of doing it,” he explained, “If nobody is being harmed, what’s the point? I’d like to see someone getting harmed so we could see how it works!”
Reed said there is not a lot of data protection case law where companies have been in breach, but Bond added that when advising companies on the “worst that can happen” when breaching the rules it should be noted that “people can lose their jobs”.
Reed closed the debate by asking the panel how they felt about the “new era of legislation”.
Whereas Bond and Murray were “optimistic”, Hoskins was not.
He suggested that good data protection is “not what is being imposed on us” and hoped for a “fair wind to whip the regulations into shape”.
He concluded by saying he feared a “tick-box culture” would mean companies do a lot of things right and then “get a kicking” for any breaches.