InfoLaw July 2012
Back in March, we looked at the ICO’s analysis of the proposals for the new EU data protection regulatory framework. The Ministry of Justice (MoJ) launched a call for evidence on the proposals, which closed on 6 March 2012, the focus of which was the potential impact of the proposed Data Protection legislative framework. On the 28th June, 2012, the MoJ published a summary of the responses received further to the call for evidence. Those comments will form the subject of this months update.
New Data Protection Regime - Update
Remind me – What is the European Commission Proposing?
A draft data protection Regulation has been published which aims to strengthen online privacy rights, increase individuals’ rights in their personal data and, correspondingly, increase obligations on organisations who process that personal data. The enforcement regime is set significantly to change and it is proposed that data processors (as distinct from data controllers) become the subject of direct regulation for the first time.
The catalyst for reform has been the combination of a number of things, including the rapid technological development which has taken place since the date of the Data Protection Directive (which, as readers will be aware, was implemented in the UK by the Data Protection Act 1998), in particular the development of increasingly sophisticated online systems, capable of collecting personal data in ways not easily understood by the individuals to whom that data relates (the current debate around “cookies” and the revised e-privacy regulations being a case in point).
The Commission has emphasized that, to keep pace with technological developments, individuals’ fundamental right to data protection requires a comprehensive and coherent new legislative framework. This is a personal goal of the EU Justice Commissioner, Viviane Reding, who views existing legislation as outdated in the context of the importance of today’s online services, such as social networking sites and cloud computing, which mean that individuals leave “digital traces” with every move they make. Viviane Reding’s personal support for the proposed data protection Regulation arises out of her strongly held opinion that the proposals “will help build trust in online services because people will be better informed about their rights and have more control of their information. The reform will accomplish this while making life easier and less costly for business”. The responses to the MoJ Call for Evidence do not entirely agree.
Summary of Responses: focus on the key changes
The scope of the Regulation is too great to consider it, and the relevant responses, in detail in this note. The selection of responses and comment below focus on what, in our view, represent a selection of key changes. For those who are interested, a link to the entire responses document is provided at the end of this note.
Data subject’s Consent
The draft Regulation specifies that, when required, consent must be explicit. This has provoked mixed reviews from respondents. Whilst some respondents felt that the introduction of the term “explicit” provides clarity, over half of the respondents felt that a requirement for consent to be “explicit” implies a requirement that individuals “opt in” to any processing of their personal data based on consent. The difficulties with a requirement that consumers “opt in” by giving prior consent is currently the subject of considerable debate in the context of the “Cookies Regulations” (in relation to which see our various articles at [insert link]) and is simply unworkable as a blanket requirement. It is also felt by many respondents (again borne out in the context of the “Cookies Regulations”) that, in the context of internet services, consumers want a fast, efficient service and do not want their “experience” to be interrupted by the variety of potential methods which might be used to obtain “explicit” consent.
Right to be Forgotten
The proposed Regulation requires, when there are no legitimate grounds for retaining them, that data must be deleted. Where an individual requests, after it has been made public, that his or her data be deleted, data controllers are required to take all reasonable steps to comply, including contacting third parties to inform them of the data subject’s requests. The overwhelming reaction to this proposal identifies the practical difficulty of accomplishing the erasure of personal data which has been made public, particularly in an online context and even more specifically in the context of social networking.
The respondents to the Call for Evidence also raised the possibility of conflict between this right to be forgotten and other fundamental individual rights, such as freedom of expression. Outside the arena of fundamental rights, it was also acknowledged that completing legal obligations might create difficulties where the right to be forgotten overlaps with requirements for processing for particular legal purposes, such as compliance with money laundering legislation.
Finally, there are the potential financial implications of the change in business processes which would be required to implement a right such as this, again an issue which has been raised in the context of compliance with the “cookies regulations”.
Right of Data Portability
The draft Regulation provides the data subjects with a right to easy (or easier!) transfer of their personal data from one service provider to another and the right to obtain their data in a structured, commonly used electronic format. In general, the response from the public at large and consumer rights groups was positive in for the business sector, who would need again to build compliant systems, there was concern that this would be very costly (particularly for SMEs) largely because of the potential difficulties with moving towards a single electronic format to enable data portability. It would, if not inevitable, be highly likely that the cost of these technological changes would be reflected in an increase in the cost of relevant services. Arguably, this would be a price worth paying for the benefit to service users; it would depend upon the scale of the increase in cost and the genuine benefit the data portability were to bring.
One respondent focused on the opportunity new right would represent for the development of a range of new information services, working on behalf of the individual, to gather, analyse, store, process, use and share those individuals’ data, which would represent a potential source of economic growth in its own right.
Data Breach Notification
The draft Regulation imposes an obligation to notify serious data breaches to the relevant regulator without undue delay and, where feasible, within twenty four hours. Whilst responses confirmed the prevailing view that notification of breaches is necessary, the overwhelming feeling was that a requirement to report within twenty four hours of having become aware of the breach, is disproportionate and unrealistic. It does not permit time for any genuine investigation and would undeniably lead to a surfeit of data breach notifications being made to the regulators. The potential implications are clearly that individuals might suffer in the event that higher level breaches were to become lost in the flood of lower level breaches.
The overwhelming feeling of the respondents was that the Regulation should require notification “without undue delay” and not refer to a twenty four hour time period.
Designation of Data Protection Officer
Whilst rights groups have generally welcomed the Regulation’s identification of a need to have an independent data protection officer in organisations where personal data is being processed, both rights groups and businesses question how effective such an officer would be and how the requirement that he or she be “autonomous” would work. Again, businesses felt that this requirement would have additional cost implications as well, in larger organisations, as complexities in terms of the organizational structure.
Sanctions for Breach
A large proportion of the responses received, commented on the high sanctions proposed by the Regulations. Whilst rights groups saw the fining powers as an effective precautionary measure, businesses felt that the ability to impose a fine of up to 2% of the annual worldwide turnover of an enterprise is excessive, particularly in the context of the context of administrative/procedural breaches. The current trigger for enforcement action is an individual suffering significant damage or distress as a result of a breach of his or her data protection rights; the new enforcement regime would be triggered by any breach of a specified obligation, irrespective of whether it would effect an individual. In the context, in the UK, of the proposed removal of a fee for notification (which is currently required of all data controllers on an annual basis), there is a significant concern amongst commentators that the ability to impose significant fines for administrative breaches might simply be used as a funding mechanism for the regulator. The consensus amongst respondents was that, although some form of penalty is required in response to a breach, it should be proportionate both to the contravention and to the harm caused to individual data subjects.
The UK Governments position
The MoJ conclusions are, to some extent, predictable in that support is expressed for a framework which works within an environment of technological advances both to maintain business competitiveness and to safeguard individuals’ rights to protection of their personal data. The Government supports, and will negotiate at EU level to achieve, “an instrument that does not over burden business, the public sector or other organisations, and that encourages economic growth and innovation” whilst “at the same time as ensuring that people’s personal data is protected”. This is a position which can hardly be criticised!
To summarise, the government:
• transparency of processing, including the provision of accessible and easy-to-understand information about processing;
• the requirement for additional information to be provided to data subjects;
• introduction of data breach notifications – but only if the provisions reflect the timescales needed to properly investigate a breach and if a sensible and proportionate threshold is provided which excludes minor and trivial breaches;
• the requirement for a strong and independent supervisory authority; and
• the development of a system of administrative penalties for serious breaches but with proportionate levels of maximum fines and greater discretion in their application by supervisory authorities,
• free subject access - there should be a minimum fee;
• the introduction of new bureaucratic and potentially costly burdens on organisations where no greater protection for individuals would result (such as mandatory data protection impact assessments and the mandatory designation of independent data protection officers); and
• the power the Regulation would give to the Commission to make delegated and implementing acts (which it sees as potentially significantly affecting fundamental requirements and principles),
• for an overhaul of the “right to be forgotten” on the basis of its view that this is impracticable and has significant cost implications although the government remains committed to the right for individuals to require deletion of their personal data where this is appropriate.
Negotiations with the Council of the EU and in the European Parliament are ongoing and are likely to last until at least 2014. During this time (as will be obvious from the summary of the UK government’s position set out in bullet point form above) there will be additional negotiations, new proposals and amendments will be put forward and additional input from stakeholders and other interested parties sought.
The Regulation, when it becomes effective, will be directly applicable, that is to say will not need implementing legislation to take effect in the UK. It is very likely, however, that domestic legislation will be needed to ensure the harmonisation of the Regulation with the provisions of the Data Protection Act 1998 which will remain in force.
The full text of MoJ summary of responses (published on 28th June, 2012) can be found here.
About the author
Published: Friday 20th July 2012
Categorised: Information Law