It has been a year since the European Commission (EC) published the first draft of its updated data protection law. Though broadly welcomed within the European Union (EU), it has drawn criticism from some quarters for being overly prescriptive and out of touch with the rapid change in digital communications.
When the previous Data Protection Directive was enacted in 1995, the web was a relatively new phenomenon; an internet connection was the preserve of a minority, and social media was unheard of.
Now social networks have largely replaced SMS as a medium for personal communications, and businesses have embraced digital to such a degree that it would be difficult, and in some cases impossible, for many of them to exist without it.
Recently, the EC stated that 70 per cent of EU citizens are worried about the misuse of their personal data – resulting in the current regulation, which is expected to become law within the next two years.
Its basic tenet is that personal data should be afforded a high standard of protection, both physically and digitally, and that individuals should have the right to complain and obtain redress in the event of misuse or theft. Looking beyond the EU's own borders, it also prescribes the conditions in which this data should be transferred and stored outside the union.
The original draft was published in January 2012, and the legal profession has since been casting its eagle eye over the details. In October, the House of Commons' Justice Select Committee published a damning report in which it admitted that change was needed to confer on individuals their new rights and freedoms, but concluded that the over-prescriptive proposals “need to go back to the drawing board”.
The committee said the regulations would not produce a “proportionate, practicable, affordable or effective system of data protection in the EU”.
The Information Commissioner's Office (ICO), too, claimed the draft law was heavy handed and allowed no flexibility to adjust to the individual circumstances of each EU member country. The ICO has also expressed its concern about the cost of implementing the new regulations, which would require changes in the way the watchdog operates.
For example, the draft states that companies wishing to move data outside of the EU – to a US cloud service, say – must first obtain permission from their country's relevant data authority.
Iain Bourne, the ICO's data protection policy group manager, says: “We're about providing guidance and assistance for organisations to help them handle people's information properly, and that's what we want to continue to do. We don't like, in general, the concept of prior checking. We find it highly unlikely that we'd be able to get all of the staff needed to do all this, and there's a real danger of backlogs – it could create all sorts of problems in terms of stifling innovation and creating a market disadvantage.”
What's more, the ICO currently manages its caseload by dismissing the obviously trivial items from the tens of thousands of complaints it receives each year. Under the new regulations, the organisation would have to apply the letter of the law to every case received, leaving it unable to focus solely on those with the biggest ramifications.
Bourne explains: “We like to go for bigger fish and are worried that our discretion might be reduced and we won't have that flexibility any more. Like it or not, that's what you need to run a regulatory authority – we are never going to be in a position to give everything equal attention in the way that is envisaged in the regulations – so there are some real difficulties there.”
The regulations are based on five objectives: to strengthen individuals' rights; improve harmonisation across the EU; promote high standards of data protection worldwide; strengthen and clarify the roles of national data protection authorities; and to revise data protection rules regarding police and judicial cooperation in criminal matters.
Much of the proposed law regulates how data is handled. It separates out two levels of responsibility: the data controller and the data processor. The first takes prime responsibility to ensure that information is secure and properly handled – managing the data processors by means of suitably worded contracts.
This is particularly important where cloud services are employed or in any circumstance where a third party takes charge of data normally held within a company. Such movement of data was until recently the preserve of multinationals, but the cloud means this has implications for all businesses.
To ease the movement of data, the EC has translated the Safe Harbor regulations, which apply to European data held within the US, into a global context known as Binding Corporate Rules. This requires multinational companies to register their data-handling policies and strictly apply them to all information charged to their care.
David Kemp, director of legal policy at Autonomy, points out: “So far only 29 companies across Europe have complied, but it's something the data regulators are very much in favour of. What you're saying is: here are the rules by which I'm prepared to live. It comprises policy, training and technology to monitor the data, and an audit process that will include assurance of compliance.”
Using technology to monitor data implies added expense for the organisation because of the amount of information that is likely to be accumulating, both in structured formats, such as spreadsheets, and in unstructured emails, voice traffic and even YouTube videos.
“At companies such as Citigroup or JP Morgan, there will be millions of emails arriving every day, or certainly every week,” Kemp adds. “There is no way that the mind of man or manual intervention can monitor this. The advances in technology of the past 10 years make it possible to show an audit trail of who actually saw an email, what was done with it, and who had access to it. From an audit provenance point of view, it's possible to produce this evidence.”
This will be the main concern of larger companies, which will also have to appoint a data protection officer responsible for ensuring that policies are upheld and updated. This role will be similar to that of internal health and safety officers, who must ensure that the law is upheld independent of any allegiance they may have to their company. Companies with fewer than 250 employees will not need to make this appointment, but will still have to comply with the regulations as best they can.
This is causing some concern – several companies refused to be interviewed for this article because they were taking legal advice on the implications.
Another concern are the huge fines that could be imposed for breaking the law – as much as €1 million (A$1,249,146), or up to two per cent of global annual turnover.
Bob Tarzey, principal analyst at Quocirca, says: “Smaller companies are more worried about fines, while bigger companies worry about the data and its broader consequences. This may change as fines move to a percentage of revenue as opposed to absolute maximums.”
Vice president Viviane Reding, EU commissioner for justice, fundamental rights and citizenship, is keen to calm these fears. Her spokeswoman says:
“A single set of rules is good for competitiveness, good for big business, good for SMEs. Our goal is to cut the administrative burden, and that is why SMEs are already exempt from some requirements, like having a data protection officer. Secondly, the regulation sets out basic rules and principles, ready to be applied and enforced. Delegated and implementing acts ensure that if, in practice, more specific rules are necessary, they can be adopted without going through a long legislative journey. However, this does not mean giving a blank cheque to the commission. We are open to review the delegated acts one by one, together with the member states, and to limit them to only what is truly necessary to keep the regulation sufficiently open to future technological developments.”
Ringing the changes
A large part of the legislation will merely restate policies that are already established under current data protection regulations.
In a keynote given to the Gartner Security and Risk Management Summit in London this year, the deputy information commissioner, David Smith, said the need to gain consent to gather and process personal information is one major change.
“We all have a right to know what information organisations keep about us. But even if I deal online as a customer, I can still be told, ‘well you must write to me by traditional snail mail asking for access to the data. You must pay me £10 and I have 40 days in which to respond'.
"These individual rights are out of date with the way that people do business these days. So essentially, if I do business with you online, I will be able to request access to data, you won't be able to charge me and you will have 20 rather than 40 days in which to respond.”
The exception to data movement controls is de-personalised data. When data is aggregated in such a way that the identity of individuals cannot be discovered or implied, it will simply be considered to be private company data and can be moved across borders with impunity. Javvad Malik, senior analyst for enterprise security practice at The 451 Group, feels this does not go far enough.
“If I use my credit card, the bank may anonymise that data and sell it off as intelligence to other companies,” he explains. “So a department store may buy this from them to find out the average age of its customers and other statistics. The bank is making money from it and, as a consumer, I find that unfair. In that case I would say, ‘forget it all and only use it for the purpose it was collected for'. I think the directive should do that to curb this sort of behaviour.”
The new regulations are aligning with US law regarding breach notification, but applying a 24-hour limit, rather than 28 days, on notifying the regulators and any affected parties. Jonathan Armstrong, a partner at law firm Duane Morris, feels this is unreasonable: “One day is wholly unrealistic. Given that most sensible organisations only tell a dozen people about the breach because they are sensitive about share-price fluctuations, to think that a dozen people can almost plug the hole in the dam and make reports to regulators within 24 hours is just crazy.”
Stewart Room, a partner at law firm Field Fisher Waterhouse, goes further: “My prediction is that the 24-hour rule will go. It would become litigious and there are lots of legal problems in this.”
Another issue causing a stir is the right for an individual to demand that a company removes all their personal information from its electronic record – dubbed “the right to be forgotten”. This could have serious implications for social networks – to the point of being impossible for full compliance. Armstrong says:
“Basically, I'm sympathetic to the ideas behind that. There is a real issue, for example, with drunken teenagers putting photographs of themselves on Facebook and then regretting it. The proposals just show that, regrettably, the commission doesn't understand the Twitter/Facebook society and is trying to write legislation it says will have to last for 10 or 15 years – but it isn't even fit for purpose today.”
This is something that may also be seriously watered down by the time the law is enacted. The ICO's Smith says: “I don't think you should worry too much about it because Reding described it as more of a slogan than a reality.”
Reding wants the updated directive to go live before her replacement is appointed in 2015. She has passed the draft to the European Parliament for ratification – and it is here where any modifications will be made. Lobby groups – including representatives of US web giants – have already started gathering in Brussels to press their cases.
On the prospect of the regulations being toned down, however, Reding's spokeswoman is defiant: “The members of the European Parliament are working on our draft proposals. I trust that they will take great care that citizens' rights will not be watered down at the expense of lobbying efforts from mighty internet companies.”