New EU data protection legislation is likely to hit businesses hard
The eurozone crisis and the focus on financial services regulation have diverted attention away from another important regulatory development in the EU. In the next few weeks the European Commission is expected to unveil its proposal for a new regulatory framework for data protection. The effects of this will be far-reaching and have a profound impact on almost every business and public sector organisation in the EU.
With data the key asset of modern business, the new regulatory framework has been keenly anticipated, not least because of the enormous changes in technology and business practice since the existing Data Protection Directive was introduced in 1995. However, not many anticipated that the draft proposal would be leaked shortly before Christmas by civil liberties group Statewatch.
Although the leaked proposal is subject to development, the structure and much of the content will likely remain. The leaked proposal reveals that the new regulatory framework will comprise a General Data Protection Regulation that will replace the current Data Protection Directive. There will also be a Police and Criminal Justice Data Protection Directive. However, it is the content of the leaked regulation that will be of keenest interest to business.
The use of a regulation was hinted at by commissioner Viviane Reding towards the end of last year and will be widely welcomed by international business. One of the recognised weaknesses of current EU data protection law is that each member state has implemented the directive in its own way. The regulation will be a big step towards harmonisation – particularly on the subject of consent – although complete harmonisation is not proposed.
The leaked proposals contain many new developments. Arguably, one of the most important of these is the much stronger emphasis on data security. Both data controllers and data processors will have stringent obligations regarding data security, including an obligation to undertake privacy impact assessments prior to the processing of personal data and an evaluation of data security risks.
Data controllers are also required to notify the supervisory authority of personal data breaches, document these and, where the breach is likely to affect the personal data or privacy of the data subject, to notify the subject. The time period proposed for notification – ’as a rule’ 24 hours after the breach has been established – is tight. The EU proposals do not contain a materiality threshold for notification.
These provisions could be onerous for business and lead to a real danger of ’notification overload’ for both data protection authorities and data subjects.
Finally, the provisions that have received most publicity are the proposed fines for non-compliance. These run to an incredible 5 per cent of annual worldwide turnover for enterprises, which represents a step-change in compliance.
The leaked proposals are to be broadly welcomed for attempting to bring the EU data protection framework into the digital, ’big data’ age and introduce greater harmonisation. However, it is undeniable that the provisions will have a big and costly impact on European business. It is to be hoped that some of the rougher edges will be addressed before they are finally unveiled.