Last week the European Commission published their proposed new Data Protection legislation. This will now be discussed and probably amended by the European Parliament and Council of Ministers before it becomes law, a process that most commentators expect to take at least two years. There’s a lot in the proposal so this post will just cover the general themes. The detail relevant to particular issues including incident response, breach notification, cloud computing and federated access management will be in subsequent posts.
The first important point is that the proposal is for a Regulation, not a Directive like previous European privacy laws. A Directive is an instruction to the 27 Member State legislatures to produce a law with particular characteristics. Each of the resulting laws is then interpreted by national regulators and courts, so significant differences can arise between different countries’ implementations. In Data Protection, the Commission feels that that has created problems both for organisations – which may have to deal with different requirements and formalities – and for users whose information may be protected differently just because it, or they, cross a border. To avoid this problem, the Commission are proposing a draft Regulation, which would itself become the law in all member states. To further reduce the possibilities for divergence they are also proposing that the advice and actions of data protection authorities will be more strongly linked – advice and decisions from one country should also take effect in the others.
Greater consistency alone would help networked services, which are frequently international, but the Commission also mention IT and the Internet specifically. While still concerned that “technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities” they seem to have accepted that successful European businesses need to be able to use technology services in other continents. The new proposal therefore offers much more scope for making international data processing lawful. At present only a whole country can be declared to provide adequate protection for personal data, but the new proposal allows such a declaration to cover “a territory or a processing sector within a third country, or an international organisation” as well. Where a transfer isn’t covered by a declaration of adequacy there is a range of other options, from formal contracts for “frequent or massive” transfers to an assessment of risk for single transfers of small quantities of less sensitive data. In recognising the international reality of the Internet the Commission also proposes to expand the scope of the Regulation to cover any organisation, even those outside the EU, if they “offer goods or services” to individuals inside the EU or monitor their behaviour. What used to look like a data protection cliff in mid-Atlantic seems to be turning into more of a slope.
The aspect of the proposal that has attracted most comment and seems likely to be most controversial is the increased requirements on organisations. Although the formal requirement to notify a national regulator will go, every organisation will need to maintain comprehensive documentation for both users and regulators, a data protection officer will become mandatory for all but companies employing fewer than 250 people, and the fines for non-compliance are increased (though not as much as in the leaked draft). If this does provoke a lot of argument, it’s to be hoped that the improvements elsewhere aren’t lost in the noise.
UPDATE Pinsent-Masons have comments on the key issues in the proposals
UPDATE The Information Commissioner’s initial response has been published