An unhappy union?
Written by Peter Davy
Harmonisation of EU data protection regulation sounds simple in theory, but in practice, may not be quite as straightforward. Peter Davy looks at the proposals
When the EU last drafted rules on data protection, it was estimated that the internet had 16 million users worldwide. Today there are more than three times that number in the UK alone.
It is perhaps surprising, then, that the EU insists its first revision of the law since 1995 is to be comparatively painless for business. In fact, when the European Commission vice-president Viviane Reding set out the proposals in January, she insisted the new regulation would save businesses up to €2.3 billion a year by harmonising the hotchpotch of 27 national regions.
“The directly applicable regulation will create a strong, clear and uniform legislative framework that will help unleash the potential of the digital single market,” she promised. Well, perhaps. But most consider there to be a good deal of work to be done first.
It is true that the change should deliver a consistent legal framework. As a European regulation, it will apply directly, unlike the current EU Data Protection Directive that is implemented by national legislation (the Data Protection Act 1998 in the UK).
“At the moment it is a similar situation in Europe to the US, where it is easy to get bogged down in the different laws in each state. Having one, unified legislation has to make it easier,” says Chris Cotterell, owner of broker Safeonline.
To claim that means savings to businesses overall, however, may be pushing it. After all, the law is being strengthened, as James Mullock, head of data protection at solicitors Osborne Clarke, points out.
“The changes are essentially trying to bring more rigour and better governance in the way businesses handle data,” he says. “That is a good thing but inevitably it means more processes, procedures and compliance measures that all cost money.”
Jana Fuchs, an associate in the Hamburg-based data privacy and security practice at law firm Bryan Cave, agrees. “It is not as overwhelmingly facilitating as the EU Commission would have us believe,” she remarks.
The long road to change
In fact, the proposals contain a number of new requirements that many may find difficult and expensive to implement. They include “a right to be forgotten”, rights to “data portability”, compulsory notification of breaches, and an insistence on “explicit consent” before data can be processed. There are also new fines proposed for breaches – up to two per cent of annual turnover for the worst cases.
“It is almost a punitive approach to raising the awareness of how important is to protect the data,” says Bruce Green, chief operating officer at IT security firm M86Security. “From a security perspective it is going to start making people sit up and take notice.”
However, how seriously businesses should really take the proposals is a matter for debate.
For a start, they’re subject to change. Speaking at the launch, Reding remarked on the intense lobbying during the drafting – the strongest she’d ever encountered – but stressed it had been largely resisted.
“The legislation was on the table on 25th January as I wanted to have it – so much to the efficiency of lobbying,” she boasted. Whether the proposals will prove quite so resilient to the concerns of national governments (with the UK’s already reported to have concerns that the regulations favour consumers too heavily at the expense of business) is less certain.
Dr Chris Pounder, co-founder of IT law training firm Amberhawk, expects significant changes. “The regulation is far too prescriptive and has come at a time when there is real economic hardship. I can’t see governments willingly saying to businesses they have got to do all this.”
Furthermore, even if the proposals make it into law untouched, their impact will vary. Some provisions, for instance, are likely to be less significant than the headlines suggest. Consider the maximum two per cent fine, for instance. Given the UK’s Information Commissioner’s current maximum penalty is £500,000, those with a turnover under £25m will actually see a reduction in the possible penalty.
Moreover, a lot will depend on implementation – particularly for those medium-sized enterprises, who will want to establish how zealously the regulations are applied. Whether regulators look for just a couple of big scalps each year to make examples of or enforce the new regulation systematically across industries is likely to be noted.
As Richard Turner, chief executive of web security company Clearswift, puts it: “Regulation is valueless without enforcement.” In fact, there’s an irony that if the regulations aren’t proactively enforced, being an early mover may be a disadvantage. After all, those with good systems will be obliged to report any data breaches they detect.
“You could get this strange situation where the best organisations are the ones reporting breaches and made out as the villains, while the worst organisations don’t even know that they had a breach,” warns Peter Gooch, security and privacy director at Deloitte.
Fundamentally, however, the legislative process in the EU means that any changes are still some way down the line – probably at least four years until new regulation is implemented. That makes it difficult to know how to react.
“At the moment it is just too early,” says Fuchs. Pounder agrees: “If I was advising businesses I would say keep a watching brief on it but don’t plan to do anything yet.”
Despite that, there are good reasons to consider looking at the implications now. First, because the chances to influence the legislation are already slipping away. The Ministry of Justice’s call for evidence, appealing for organsations to comment on the potential impact closed in March and the government horse trading will soon start.
“There is actually very little time to get businesses’ concerns heard,” says Mullock. “There is a real danger in being lethargic.”
Furthermore, regardless of the finer details, the regulations broadly reflect the way the debate is turning. That’s perhaps clearest on compulsory notification. In the US most states have already enacted similar laws and this has arguably done more than anything else to drive insurance for data breaches, the use of mitigation methods such as encryption and the profile of data protection generally. In Europe, meanwhile, countries including Austria, Norway, Germany and Spain have implemented mandatory breach notification, and few doubt the EU regulations will include this requirement.
“It is a glaring omission in Europe at the moment and I think most people accept that,” says Matthew Norris, head of technology at Hiscox. Similarly, the requirement for an explicit opt-in have been a long time coming and look likely to make it into law.
Moreover, there’s good evidence consumers want better protection. The right to be forgotten is likely to prove one of the more contentious for businesses due to the difficulty they may face implementing it. For customers, however, it’s entirely uncontroversial. In a 2010 survey by the University of California, Berkeley found 92 per cent of those questioned saying the law should require deletion of personal data after a certain point. Likewise, when Dublin-based mobile security company AdaptiveMobile surveyed smartphone users in the UK, nine out of 10 said they were concerned about personal information being collected from their phone, and 69 per cent said it was completely unacceptable for mobile apps to take information from users without permission – despite the fact many of the most popular apps on the market do exactly that.
Finally, however, companies need to look at data protection again because even under the existing regime there’s good evidence many are still failing to live up to the standards expected. In the UK, the Information Commissioner fined Cheshire East Council £64,000 in February for breaches of the Data Protection Act, shortly after finding five other local authorities had also been responsible for breaches. It was also considering what fine to impose on O2 after the mobile company’s accidental posting in January of a list of customers’ phone numbers and the websites they visited led to so many complaints the regulator had to post a note on its website asking consumers to stop submitting them. Worldwide, last year saw the greatest number of data protection breaches ever, with the total number of records exposed in 2011 topping 368 million, according to IT security group Risk Based Security Inc.
“The current regime in different countries across Europe is already quite strict,” points out Fuchs. “The biggest danger I see for most at the moment is that they are not in compliance with the current law. There is plenty to look at before this regulation comes into place.
Compulsory notification of data breaches: Companies have to report losses to the Data Protection Authority within 24 hours. That’s likely to help drive popularity of cyber liability cover, reckons Michael Thyssen, vice-president, European products manager for Chubb.
“In our experience, tough regulatory oversight does increases demand for cover. We see this in the US where mandatory notification has existed for some time and the proposed EU Directive is likely to have the same impact across the continent,” he says.
New fines: 0.5% of a company’s global turnover for charging a user for a data request, one per cent if a firm refuses to hand over data or fails to correct bad information, and two per cent for more serious violations. These modifications change the terms of the debate says Cotterel. “When the penalty was more like £50,000 people felt you could take it or leave it, but now, some of the fines...are beginning to focus [the] attention.”
A right to be forgotten will mean data subjects can request any personal data is deleted. This will be difficult for many companies to guarantee.
“From a theoretical point of view it is appealing, but in reality once your data is out there quite often the extent to which organisations are able to trawl through their network of sub-contractors to call that information back is limited,” says Gooch at Deloitte. Similar challenges are anticipated for companies to ensure “data portability”, allowing customers to transfer the personal information they’ve posted on one social network site to another site, for example.
A data protection officer must be appointed in all organisations over 250 employees. This is one of the provisions that has been criticised as too prescriptive. Pounder points out that it would require an engineering firm over the 250 worker threshold to appoint an officer, while a private investigator below it wouldn’t, for example.
Nevertheless, having someone oversee data protection issues is a good idea, says Stephen Shelton, head of data at data management specialists Detica. “It is good practice to have someone who is accountable for it. Whether that role is successful, however, will depend on the amount of support and sponsorship from the board.”
Explicit consent: All organisations operating in the EU must obtain explicit, freely given, specific and informed consent from individuals to process their personal data. Consent implied through inactivity or silence won’t be acceptable.
It’s another key change, says Shelton: “It is going to be challenging, especially in large organisations where they have several channels though which customers operate, several products, for instance, and customers giving consent at lots of different times to different things. Getting a single picture of what a customer has consented to can be challenging for companies already so if you are moving to a more stringent regime of explicit consent some will struggle. They may even have to ask for consent all over again.”