The law on data protection is changing. Are you ready?

What were you doing eighteen years ago? On 24 October 1995?

I had hair for a start—not that I'm bitter. Much.

In other matters:

  • Mark Zuckerberg was just 11 years old and Facebook—or 'The Facebook' as it was known at its inception—was still well under a decade away
  • Amazon had just sold its first book: alas, not a biography of Peter Andre, but the snappily entitled ‘Fluid Concepts & Creative Analogies: Computer Models of the Fundamental Mechanisms of Thought’
  • Twitter was something that only birds did. Well, sort of…

Amazingly, however, in this year the average cost of RAM per gigabyte was a whopping $30,000.

Now it is $5.50.

The world is now a very different place.

So what exactly happened on that day in October 1995? Well, the European Council and EU Parliament had a bit of a legislative shindig and adopted the Data Protective Directive; the Directive being designed, in the main, to regulate the processing of personal data in the EU.

The problem is that the Directive is arguably no longer fit for purpose. Nowadays, we are drowning in data.

All those years ago, when my computer was petrol-driven and needed to be started with a sharp pull of a cord—similar to those found on chain saws—I'm sure that I could hear data clicking in and out when my computer was plugged into to the Internet. Perhaps it was that crazy 'zzzzz wirrrr zzzzz fdang fdang' sound that quietly announced itself whenever I wanted to sign on?

Now, according to Intel, 639,800 GB of data is transferred across the Internet every minute. That's a fair few bytes.

However, persistent legal problems remain with the regulation of data. For example, there is the need to clarify:

  • who is in control of the data
  • how to define personal data
  • how to regulate international transfers of data when information is globally accessible instantaneously via the Internet, and
  • which laws apply to any particular processing activity (and how the overlapping complexity of laws that apply to even simple data processing activities should be addressed)

So, in view of all of the above, the EU has attempted to simplify the existing law by proposing a new EU Data Protection Regulation (the ‘Regulation’). As a Regulation, which is intended to replace the existing Data Protection Directive, this new law will have direct effect across the EU and, in theory, instantly improve harmonisation of laws across the single market.

Late last year, it seemed as though the new Regulation was going to be adopted during 2014. But now, everything is up in the air again. Politicians are struggling to agree what the law should do:

Europe's much-ballyhooed, and much-flawed, proposal to re-write its privacy laws for the next twenty years [has] collapsed. The old draft is dead, and something else will eventually be resurrected in its place. We'll have to wait until 2014, or perhaps even later, to learn what will replace it (Peter Fleischer, Global Privacy Counsel, Google)

Google hasn't always had an easy ride over data protection matters, but Peter could well be right.

Things have certainly not been helped by the revelations of the Prism surveillance programme operated by the NSA. This has simply served to increasingly politicise the whole process more than would have otherwise been the case. Therefore 'Data D-Day' is probably now going to take place in 2015.

So what are the main changes?

Here's a flavour of the key issues of the proposed new legal framework:

  • the Internet has a long memory. So the EU initially proposed a right to be forgotten. In the current draft of the Regulation, this is now a slightly less onerous right to erasure: people would be able to ask that their data is deleted if they no longer want them to be processed and there are no legitimate reasons for keeping such data (there is currently a proposed exemption for any storage technology which doesn't allow for erasure and was installed prior to the Regulation coming into force)
  • potential fines of up to €100 million or 5% of annual worldwide turnover (ouch!)
  • cloud providers which are based outside of the EU and which host personal data of EU citizens will, in many cases, be subject to the EU Regulation (eg even if the cloud providers are located in the US, Equatorial Guinea or anywhere else for that matter)
  • many definitions are likely being broadened
  • data profiling will be more strictly regulated
  • data breaches will also be subject to a more onerous notification framework (eg notification without 'undue delay')
  • many businesses will be obliged to appoint a data protection officer ('DPO')

Quite a few significant changes then!

Now at this point, I'd like to say that it is 'time to get planning'. The difficulty, of course, is that this Regulation is, at present, a massive moveable feast. Watching it go through legislative scrutiny seems to be akin to 3D chess.

That said, this doesn't mean that businesses should sit on their hands until the Regulation is adopted. There are an embarrassment of changes that will come into force and a business's systems may need to significantly amended to deal with them.

Businesses would be well worth keeping a keen eye on developments to avoid being caught out, or even worse, fined in due course.

On the positive note, just think how bad things will be for legislators in 2035 when they will have to deal with the challenges of living on the Moon and people buying their weekly shop at the Sea of Tranquillity Tesco Metro with a single thought/ blink of the eye…

Area of Interest