European data reforms could mean major changes to business practice

Advice Frank Jennings Mar 13, 2012

The EU's proposed data protection laws could have major consequences for European businesses, although there's still time to change them

In January 2012, the European Commission finally unveiled its proposals for a radical overhaul to the current data protection rules which it estimates will save businesses €2.3 billion a year.

The existing rules hail from the 1995 EU Data Protection Directive and have been criticised because, far from introducing consistent protection, they have led to 27 different interpretations of data protection across the European Union.  Also, the original directive was prepared in a time before social media and cloud computing and the time is right for modernising and harmonising the rules.

There are positives and negatives in the proposal.  There is hope that the Commission will reduce the impact of some of the negatives before the regulation comes into force.

Some positives:

  • The new data protection regime will be by way of a regulation.  This means that the same rules will apply across all EU member states without the need for local implementation.  This should, at last, introduce consistent EU-wide protection without the need for a cloud service provider having to analyse the differences in law across the EU.
  • A data controller will have to notify just the data protection authority in the member state in which its head office is located rather than in each member state where it is trading.  This reduction of red tape should save CSPs money and time.

The negatives include:

  • A big step up in fines.  Under the new proposals national data protection authorities will be able to penalise data protection breaches by imposing fines of up to 2 percent of the global annual turnover of a business.  This single measure is likely to put data protection on every CEO’s agenda.
  • A processor must notify a controller immediately after a breach and a controller must notify the supervisory authority within 24 hours.  Given the amount of time it will take to investigate breaches, this may be unrealistic.
  • There will be a principle of “privacy by default” and a suggestion that consent must be "explicit" in relation to the particular processing being considered.  This is likely to mean that cloud providers will require customers to grant extensive permissions for a wide range of processing activities.
  • A right to be forgotten. Individuals will have the right to have their personal data deleted if there is no legitimate reason for an organisation to keep it.  This may have a knock-on effect on cloud service providers who hold back-up and archive copies of data.
  • Application outside EU.  The Commission proposes that the regulation will apply to businesses based outside the EU but which have customers inside the EU.  This is likely to affect cloud providers based in the US who have EU customers.  It is not clear how the Commission will enforce this if the provider’s only contact with the EU is its customers.
  • Data transfers outside the EU will still be subject to the same restrictions.  Again, with so much of the cloud industry based outside the EU, it was hoped that this restriction would be loosened by imposing the obligation on the controller to ensure the data is safe.

The data protection regime was due an overhaul and the reduction of cost and red tape is a welcome change.  However, the EU Commission’s proposals are not as cloud-friendly as they could be.  As reported last week, the Cloud Industry Legal Forum has submitted a response to the UK Ministry of Justice and there is hope that the European Parliament will steer the regulation in the right direction.

 

Frank Jennings is chair of the code governance board of the Cloud Industry Forum, co-founder of  Cloud Industry Legal Forum and partner in law firm DMH Stallard LLP. frank.jennings@dmhstallard.com