2013 was the year in which we saw revelations of widespread monitoring of email traffic by counter-intelligence agencies, a failure of some of the world’s most respected technology firms to comply with current privacy laws and ever more stories of data breaches and fines. It was also when we saw the European Parliament publish its draft text for a comprehensive new EU data protection law.
This article explores the trend towards enhanced privacy regulation both here in the UK and around the world and expectation that data protection compliance will take more of a front seat in decision-making processes.
New privacy laws
Current UK and EU data protection laws largely derive from the Data Protection Directive. Bearing in mind this legislation was presented in 1995, at the dawn of the internet/email era and well before technologies such as Facebook, cloud computing and mobile apps were ever contemplated, it is not surprising that legislators are now pushing for a new, reforming, legal framework.
In October 2013 we had first sight of the European Parliament’s long-awaited proposals for a new Data Protection Regulation.
The draft text may have a way to go in the EU legislative process, and 2014 will be instrumental in seeing how that shapes up, but the overall direction of travel is clear. Greater harmonisation across member states; increased regulatory enforcement; a focus on transparency in the way data are used and shared and expectation that business will adopt more proactive governance structures to manage privacy risk.
The drive towards regulation is not confined to the EU. Companies operating on a global basis will have noticed an exponential rise in international data privacy laws. Robust legislation has emerged in Singapore, Malaysia, South Korea, Serbia, South Africa and many South America countries, whilst the US is busy developing a raft of largely state-led privacy laws. Keeping abreast of these new laws is an increasingly difficult challenge for regulatory teams.
The ICO and its counterparts in other EU countries have a track record of imposing heavy sanctions on businesses who fail to meet basic requirements of data protection. 2013 was a record year for fines, with regulators expressing exasperation at the volume and nature of new data breaches, many of which were committed by well-known online and consumer brands.
We expect the trend of more and higher penalties to continue, with regulators now proposing fines up to five per cent of global corporate turnover.
One of the most striking developments in late-2013 was the disclosure by renegade spy Edward Snowden of widespread snooping on private communications by counter-intelligence agencies.
The story started a very public debate about the extent to which lawful interference in our privacy rights is acceptable to protect national security, whether current legal frameworks provide sufficient protection of those rights and the adequacy of arrangements that currently allow a free flow of data between different countries – most notably to the US via the approved ‘Safe Harbor’ programme.
These concerns are hardening privacy regulators’ views on the legitimacy of data transfers, with a high risk that we will see an increasingly restrictive view from supervisors on the validity of arrangements involving cloud-based services, particularly those operating from a US base. We also expect to see businesses who operate across an international footprint finding themselves “stuck” between conflicting legal duties – a responsibility in one country to disclose information to agencies and restrictions in another on data sharing.
These conflicts will not be easy to resolve.
Strategic approach to compliance
For most, the compliance challenge will be resolved by looking again at internal capacity within the business to manage risk adequately, with a general trend towards investing in better information governance.
A structure that if managed effectively, will bring legal and regulatory expertise together with operational areas of IT, security and data management, allowing risks to be identified early and managed coherently, ensuring the organisation stays ahead of this increasingly complex and shifting regulatory landscape.
Andrew Dyson is a Partner and Co-Chair of DLA Piper’s global data privacy practice