9 February 2012

Data Protection Reform: Insight from Brussels

What do the proposed European data protection reforms mean for businesses? What can they do about it?

by Patrick Barth and David Carrol, members of the Information & Communication Technology Practice group

Download Data Protection Reform Factsheet - Insight from Brussels | January 2012 (PDF)

Introduction

In January 2012 European law-makers presented a proposal for reforming data protection laws. The proposed reforms include restrictions on global data flow and weighty compliance and infringement costs which will have a significant impact on the day-to-day operations of all businesses regardless of sector, size, or geographical location. There remains significant scope for business to influence the reforms. The time for action is now.

Why this proposal?

The proposed reform, which would supersede out dated current European data laws originally adopted in 1995, is guided by two central aims: (1) to protect the individual's fundamental right to data protection; and (2) to establish a truly harmonised European framework which would facilitate and guarantee the free flow of personal data between Member States and beyond.

Rapid technological developments in recent years have contributed to the unprecedented flow of personal data between individuals and businesses. The innovative capture and use of data has given rise to new billion dollar industries – 'data dollar' industries. As a direct consequence the value we attribute to data and how we ensure individual privacy needs to be redefined.

The long considered forthcoming proposal thus presents an initial attempt by European law-makers, and indeed any national lawmaker, to address this new challenge in a way which secures the data integrity of the individual without impeding the future growth of industry.

Its main elements + what do I need to know?

The proposed reforms will lay the foundations for an allencompassing European data protection framework. By forging this harmonised legal apparatus law-makers hope to avoid the complex inconsistencies that currently exist between different European countries – inconsistencies which ultimately raise the cost of doing business in Europe and complicate the enforcement efforts of empowered authorities to protect citizens.

The main elements of the proposal are as follows:

Enhanced rights for the individual: The right of the individual is very much at the heart of reform. Detailed 'Privacy- by-design' require-ments and 'Right-to-be-forgotten' clauses are provisions which are appear to increase the rights of the individual.

How these measures will be practically implemented is less clear. At this stage it looks like law-makers are expecting business to shoulder a greater share of the legal responsibilities – a responsibility which inevitably entails greater costs for companies.

Data security and breach notifications: Companies will be required to implement appropriate technical and organisational security measures. Furthermore, they will be required to carry out an evaluation of the risks before implementing the security measures.

In the event of a security breach, companies must inform the supervisory authority and individuals adversely affected within 24 hours.

Companies with more than 250 employees may also be lawfully required to appoint a data protection officer who must have expert knowledge of data protection law and practices.

Steep infringement fines: To ensure that companies abide by data protection laws the proposed reforms seek to empower supervisory authorities to impose bans on a company's data processing, block its international data transfers, and impose hefty fines - up to 2% of its global turnover - for data misuse. A provision giving individuals the ability to lodge a complaint against a company with any European supervisory authority is also considered.

Global reach: The cross-border nature of data flow makes the regulation of this space extremely difficult. To address this challenge European law-makers are proposing that new data rules apply to any business involved in the processing of data belonging to European citizens.

In other words, no matter where a business is established, or where it processes its data, the business will be judged according to the proposed European law.

What is the business impact?

In many respects business will welcome regulatory action in this area. Existing European laws have generally been criticised for being inconsistent and a hindrance to a freer flow of data. To this end, a new harmonised framework stands to benefit businesses and its data activities.

On the other hand if business interests are not sufficiently reflected in the future law the potential for burdensome compliance costs, complex legal anomalies, and unpractical restrictive provisions is great.

An ill-conceived European data framework will undermine the law-makers' stated aim of enhancing data protection in a technologically advanced and global world. More alarming, from a business' point of view at least, is that it will be businesses shouldering the brunt of the responsibility for realising such a vision without being able to extract many of the benefits.

Next steps + opportunities for influence

Now that the proposal has been officially presented elected European lawmakers representing all political parties will be given ample opportunity to review and amend it. Eventually an amended proposal will be adopted and becomes law, at which point it will be immediately applicable throughout Europe. There is no exact timeline for this process, but we would not expect to see a final result before late 2013 or early 2014.

The long adoption timeline is good news for companies who are seeking to influence the future data law. Over the coming months European law-makers will be looking for further factual input from companies on what the future data law should look like. Indeed, the earlier the engagement the greater the potential for companies to influence.

A comprehensive public affairs campaign built upon strong 'bottom-line' messages delivered at opportune points in the adoption cycle will go a long way towards ensuring that a future European data protection framework is proportionate and workable for businesses.

Given that US lawmakers will too soon be discussing the possibility of developing hard-wired legislation on data protection, companies must be prepared to engage with legislators on both sides of the Atlantic.