Member Article

DWF on EU data protection proposals

What will the new EU data protection proposals mean for UK businesses?

Rob Machin, Corporate and Commercial Associate, and Bob Elliott, Partner in Litigation IP/IT at DWF LLP, explore EU data proposals.

It has become increasingly clear that current data protection rules have fallen behind the way people share information in the modern age. The current UK regulations are based on an EU directive developed three years before the incorporation of Google, nine years before the launch of Facebook and 11 years before the first tweet. With that in mind, the European Commission released its proposals for an overhaul of the EU data protection regime last week.

While the UK regime is relatively flexible, thanks to the continued guidance of the Information Commissioner’s Office (ICO), it has been widely acknowledged that the law is in need of updating to keep up with advances in technology and new personal data risks that are emerging.

However, although an update is welcomed in principle, the proposals are proving controversial. The general consensus is, that in an attempt to protect the individual, unreasonable and unworkable burdens risk being placed on businesses.

What will the updates change?

There are two main issues that will affect businesses, proposals regarding individuals’ rights over the use of their personal data, and new obligations which businesses must meet in terms of data protection, all set against a significant new sanctions regime for breaches of data protection rules.

With regards to the first issue, the proposals require that where businesses are looking to rely on an individual’s consent to process personal data that consent is always explicit, currently implicit “opt-out” systems are allowed. We may see some companies looking for innovative ways to obtain this consent, potentially falling foul of the regulations in the process.

Individuals will also be able to request that all their personal data is erased by a business if it is no longer necessary for the company to hold it. If this data has been processed by others, the business will have to take steps to inform these third parties of the request for removal. It’s not yet clear exactly how this could work in practice, but for obvious reasons it is likely that this would be an extremely testing task for affected businesses.

Secondly, there are also real concerns that proposed rules on reporting data protection breaches are overly onerous. When there is a breach, such as a hacked network, a business will have to notify the ICO and affected individuals without undue delay, and, where possible, in less than 24 hours.

An obligation to notify the ICO and inform individuals at such short notice could actually divert resources away from resolving the breach. The proposals do suggest that companies will be excused for missing the 24 hour deadline if they have “reasoned justification” for doing so, so companies may look to rely on this caveat in the event of a serious breach.

To back up this up the European Commission has proposed a staggering new regime of fines for breaching data protection rules, which, in a worst case scenario rise to €1m fines for individuals and fines of two per cent of annual worldwide turnover for organisations; a massive increase from the current £500,000 ICO cap.

Conclusions

It is likely that the updates will have significant implications for many businesses. However, they are still very much at the proposal stages, in all probability not becoming law until 2014 or 2015.

Within this timeframe, the regulations will probably evolve, but it is virtually certain that businesses are going to be expected to do more to protect individuals.

We would advise that businesses take steps now to adhere to current best practice in the use of personal data, so as to be in good shape for the introduction of the ‘new world’ regime.

This was posted in Bdaily's Members' News section by Martin Jenkins .