Some global brands are very worried about the impact of the revised European Regulation on Data Protection which is currently being debated in Europe and they probably should be.
This is the first major overhaul of the legislation since the 90s and the significant developments in data management, hosting and social networking have certainly surpassed the usability of the old law. There has also been consumer pressure to tighten data security, increase meaningful consent and curb the more privacy intrusive aspects of the internet.
The European Commission released a draft of the new legislation last January and there has been frantic lobbying from business interests (including the likes of Amazon and EBay) ever since.
One thing to realise about this legislation is that the use of a Regulation rather than a Directive will mean very little opportunity for individual countries to have their own version of the law. Based on this harmonisation the Commission reckons that the Regulation would save European business E2.3 billion per annum. This a hotly contested figure with the UK Government’s own assessment of an additional net cost to UK plc of £100-£360 million per annum.
Some of the major issues with the current draft are as follows:-
Non-European companies can be caught by the Regulation if they direct products and services to individuals in Europe.
Introduces the “right to be forgotten”
A very unpopular move that would make data management difficult and the future suppression of a “forgotten” individual impossible.
Compulsory Data Protection Officers in businesses
This is already a requirement in some European countries. Initially only companies with over 250 employees had to appoint a DPO but a recent amendment may mean that any organisation processing more than 500 records a year would be caught.
Compulsory breach notification
In a move which will be familiar to US companies there is a requirement to notify breaches both to the regulators and to individuals affected.
The marketing industry is concerned that opt-consent may be required for all promotional messaging (unless the company can argue that it has “legitimate Interests” send marcomms).
Changes made last month by the consumer sympathetic “LIBE “Committee have made things worse. At a meeting of the European Parliament on the 21st January to discuss the LIBE report, Axel Voss MEP, suggested that strengthening of the rules around profiling could be damaging to business and pleaded for some
proportionality ‘everyday business activities may be caught by the current definition, even though in reality, they are not negative things’.
The European Parliament’s Internal Market and Consumer Protection Committee (IMCO) is in favour of softening the Regulation but there will be a number of votes on the proposals before the fate of the Regulation is finally decided, in all likelihood by the summer of 2013.
The earliest date for implementation is probably 2016.That said the main sponsor of the Regulation Vice President Viviane Reding is adamant that the reform will take place, and take place quickly.
Lord McNally, Justice Minister, representing the UK Government’s position said that it wanted to see ‘EU data protection legislation that protects the civil liberties of individuals while allowing for economic growth and innovation. These should be achieved in tandem, not at the expense of one or the other.
We will consider the committee’s recommendations carefully as part of the ongoing negotiations on these proposals.’
There is some support for proportionality when it comes to handling non-sensitive data (even from the Regulators who would be hard pressed to deal with the requirements for indiscriminate breach notification).
Expect to hear much more in the future about the effects of the Data Protection Regulation on your business. Now may be a good time to make an impact assessment for yourself.