In 1995 less than 1% of Europeans used the internet, Blur’s Country House reached No 1 in the UK and the European Union introduced the 1995 Data Protection Directive. Fast forward seventeen years, over 60% of Europeans use the internet, Blur is still kicking around picking up Brit Awards and the EU has decided now is a good time to overhaul the Data Protection rules.
Revision of the European data privacy legislation is a pretty dry topic even by Brussels’ standards. However, if you’ve been the victim of internet hackers or indeed one of the estimated 77 million users of Sony’s Playstation Network who lost data in 2011, you may well think that the European Commission’s draft rules are long overdue. Similarly the legislation is of great interest to a vast range of sectors, from banking to insurance and telecommunications to retail, all of whom need the legislation to keep pace with globalisation and rapid technological developments.
Outside of the Eurozone crisis, the new data privacy legislation is one of the biggest issues in Brussels. Indeed it should be viewed in the context of the crisis because Europe needs consumers and citizens to feel safe and secure when sharing their data, to trust new technologies and use them routinely in order to stimulate growth. The holy grail of growth, job creation and innovation is ultimately what the European Commission and Member States are seeking.
There are three major themes in the draft regulation: strengthening the rights of data subjects (you and me); increasing the responsibilities of data controllers and processors (your mobile phone provider, bank etc); and tackling international data transfers. (The Commission also published a draft Directive regarding personal data privacy in the context of investigating criminal offences but this article focuses on the general EU regulation).
The rights of data subjects includes some interesting goals, from the right to be forgotten to the right to data portability and the right not to be subject to measures based on profiling to a tighter definition of consent.
The Commission wants to put individuals in control of their personal data; for instance the right to be forgotten would ensure that a social network provider would delete an individual’s data immediately and completely on request. Data portability would offers consumers the right to transport their data from one service to another — to deactivate a Facebook account, for example, and take one’s trove of pictures and posts and contacts to Google Plus.
However, concerns have been raised that the new rules seek to demonise the technology, particularly around profiling, rather than governing profiling activities with adverse effects. After all not all personalisation and customisation of products or services is negative. Similarly, there are concerns about the definition of consent. The draft rules state that it must be given ‘explicitly’ meaning that it is based either on a statement or on a clear affirmative action; questions will arise about this definition, for instance is downloading an app a clear affirmative action? We can expect heavy lobbying on these issues from consumer rights groups, mobile network operators, insurance companies and indeed membership charities.
Two of the biggest debates around the responsibilities of data processors and controllers focus on data breach notifications and the sanctions. Last year the Financial Timesreported that a breach of the new rules would be punishable by a fine of up to 5% of global turnover. The subsequent negotiations have watered this down – it is currently pitched at around 2%. However, the European Parliament will want its pound of flesh – securing serious non-compliance fines would please consumer pressure groups.
Policy-makers are under pressure to ensure that the resource implications for business are proportionate to the benefits delivered by any safeguards. The Commission is proposing 24 hour breach notification. Industry bodies argue that in most cases 24 hours is not enough time to conduct an investigation to determine the extent and cause of a breach, let alone notify third parties.
The third major theme in the draft regulation is the transfer of data to non-EU countries. The EU wants its rules to apply to EU citizens’ data regardless of the geographic location of a company or its processing facility. There are concerns that the use of cloud computing – which promises cost savings for business – may also be inhibited by additional restrictions on the transfer of personal data outside Europe, including cumbersome regulatory approval requirements.
Professor Christopher Millard of Queen Mary University London, recently argued that “given the ease of global data transmission…what matters most for privacy and security is who can access the data in intelligible form…we proposed a more radical solution, namely abolishing the restriction on data export, focusing instead on appropriate measures to ensure security, transparency and accountability, regardless of the geographical location of personal data.”
Such radical suggestions are unlikely to gain traction in the European Parliament but one thing is clear: given the ease of global data transmission and EU-US negotiations about data for anti-terrorist purposes, seventeen years after the first Data Protection Directive, European data privacy is yet again one of the most politicised debates in town.