Draft Data Protection Regulation summary of main features
The draft European Regulation on Data Protection is currently being debated in Europe.
This is the first major overhaul of the legislation since the 90s. Change is needed as the significant developments in data management, hosting and social networking have certainly surpassed the usability of the old law. There has also been consumer pressure to tighten data security, increase meaningful consent and curb the more privacy intrusive aspects of the internet.
The European Commission released a draft of the new legislation in January 2012 and there has been frantic lobbying from business interests, privacy groups and governments ever since.
One thing to realise about this legislation is that the use of a Regulation rather than a Directive will mean very little opportunity for individual countries to have their own version of the law. Based on this harmonisation the Commission believes that the Regulation would save European business E2.3 billion per annum. This a hotly contested figure with the UK Government’s own assessment of an additional net cost to UK plc of £100-£360 million per annum. The UK would favour a Directive in place of the Regulation but this is thought to be unlikely.
What will the new draft General Regulation change?
Some of the major issues with the current draft are as follows:-
The marketing industry is concerned that opt-consent may be required for all promotional messaging (unless the company can argue that it has “legitimate Interests” to send marcomms).
Consent is defined as
“Specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action signifies agreement”
Consent will be purpose limited and significant record keeping will be required. The Council of Ministers has proposed a change in the text removing “explicit” and adding “unambiguous”. However, either version would mean that the individual must take “clear and affirmative” to confirm consent.
Non-European companies can be caught by the Regulation but only if they direct products and services to individuals in Europe.
Introduces the “right to erasure”
Formerly the “right to be forgotten” this is a very unpopular move that would make data management difficult. The ruling by the European Court of Justice against Google has caused tens of thousands of requests for removal of links but is regarded by many as unworkable.
Compulsory Data Protection Officers in businesses
This is already a requirement in some European countries. Initially only companies with over 250 employees would have been required to appoint a DPO but proposed amendments could mean that any organisation processing more than 5000 records a year would be caught. Again, the Council of Ministers has a lighter touch suggesting that the appointment of DPOs should be subject to local law.
Compulsory breach notification
In a move which will be familiar to US companies there is a requirement to notify breaches both to the regulators and to individuals affected. A register of breaches would be maintained.
The processing of information about children will become subject to much tougher rules
Accompanying the new rules are potentially tough penalties of up to 1 million Euros or 2% per cent of worldwide turnover for the most serious data protection breaches.
Changes proposed by the consumer sympathetic “LIBE “Committee have exacerbated the potential impact on business use of personal data, particularly for marketing.
Strengthening of the rules around profiling could be especially damaging and there have been pleas for some proportionality so that everyday business activities which do not have a negative privacy impact are not caught by the definition.
The Council of Ministers is, in general, in favour of softening the Regulation but there will be a number of votes on the proposals before the fate of the new law is finally decided, in all likelihood by the end of 2015 or beginning of 2016. The earliest date for implementation is probably 2018.
The UK Government’s stated position is that it wants to see EU data protection legislation that protects the civil liberties of individuals while allowing for economic growth and innovation. The Government is adamant these should be achieved in tandem, not at the expense of one or the other.
There is some support for proportionality when it comes to handling non-sensitive data (even from the Regulators who would be hard pressed to deal with the requirements for indiscriminate breach notification).
Published May 2015
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.