When the European Union Data Protection Protection Directive was passed in 1995, the concepts of data, data privacy and storage, and the potential for misuse of that data were very different. The internet, furthermore, was still young and the Directive, in any case, was largely based on the UK’s own Data Protection Act of 1984.
A lot, obviously, has changed since then. And the challenge of regulating data as those shifts have taken place – the growth of the internet, social media, cloud computing and big data, for example – has been compounded by the different ways in which the Data Protection Directive has been implemented across the 28 countries of the EU.
What is perhaps most notable about the EU’s approach to data protection legislation today is that the changes it is proposing to make will not be made in the form of a new directive, but rather in the form of a “regulation”, directly applicable to member states.
“A regulation is different from a directive because a directive is a set of principles that have to be translated into local laws. A regulation comes straight from Europe. Once it is passed at a European level, it is effective immediately in each country,” says Andrew Dyson, a partner and specialist in data protection at law firm DLA Piper.
That approach is double-edged. On the one hand, it means that the EU will be legislating directly in terms of data protection Europe-wide – and presumably doing so more and more in this way in future – yet it will also prevent the complaint that directives, when translated into UK law, have been “gold plated” by over-zealous drafting.
The hope, adds Dyson, speaking at Computing’s recent IT Leaders’ Summit in London, is that it will provide organisations – particularly ones operating across the EU – with more certainty in terms of their pan-European IT infrastructures, cloud computing, and the way in which those organisations process data across the EU. “It’s quite a significant change of tack and, I think, quite helpful,” says Dyson.
One of the positive aspects of the proposed regulations is that organisations operating across Europe will only need to deal with one regulator – not every information commissioner in every country in the EU that they operate. “The intention is that you will just go to your ‘lead’ regulator in your headquarters country and deal with them exclusively for the whole of Europe,” says Dyson.
However, following the Edward Snowden revelations, he warns, the momentum is behind stricter controls that may impede developments in social media, given the personal information that is provided in exchange for the use of such applications, and big data.
All of this, though, is not just on a pan-European level. Taking a leaf out of US lawmakers’ books, proposals currently under consideration are extra-territorial in scope. If an EU citizen orders something from a US website, for example, the personal data generated by that transaction does not currently come under the scope of EU data protection laws. But under the data protection regulations currently being considered, EU data protection laws would apply to citizens’ personal data regardless of where in the world that data is being stored and/or processed, warns Dyson.
In addition, the regulations will also extend the scope of EU data protection to outsourced providers. At the moment, says Dyson, the ‘contract’ is between customers and supplier. In future, though, “if you are an outsourced provider, looking after customer data on behalf of a client, if you lose that data; if you don’t have in place proper protections, controls and systems, it’s not just a question of being in breach of contract, but the Information Commissioner’s Office will become involved,” says Dyson.
Finally, there’s the so-called “right to be forgotten”, a recent ruling in the European Court of Justice that has forced Google and other search engines to de-link people from otherwise publicly available information on request. The European Commission claims that this ruling conforms with “the spirit” of the forthcoming Data Protection Regulations.
What has attracted the highest profile headlines, though, is the enforcement regime, which will include punitive fines of up to €100m or five per cent of global turnover.
“At the moment, there’s a very mixed approach to enforcement across Europe. Some regulators are active; others have no resources and take no enforcement action. That doesn’t make sense: in one market you could be hit with a fine and in another they might take no action,” says Dyson.
If that concerns EU-based organisations, it won’t be long before they are subjected to it: the General Data Protection Regulation is expected to be adopted some time in early 2015, with the enforcement regime coming in from 2017. “They are thinking that the breach of data protection and privacy laws is on a par with a breach of anti-trust and competition laws,” adds Dyson. “This is a very clear message that if you get it wrong or you don’t comply, there won’t just be a rap on the knuckles. It’s deliberate – to try and change behaviours.”