Information law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said that whilst organisations would welcome having to comply with a single EU regulation on data protection, rather than 27 national implementing laws as is the case under the current Data Protection Directive, organisations of all sizes would be concerned by some of the measures contained in the proposals.
He said both large multinationals and SMEs will be required to undertake unnecessarily costly and time consuming measures to adhere to the planned new data protection regime.
On Sunday the EU's Justice Commissioner Viviane Reding formally announced plans to publish a new data protection Regulation and a separate Directive on issues affecting law enforcement within days.
The Regulation would be a "directly and evenly applicable rule for 27 member states to enhance the opportunities for business and the protection for individuals," she said. The new rules would "ensure a smoother exchange of information between member states, police and judicial authorities in the fight against terrorism and serious crime while at the same time protecting people's fundamental rights to data protection," she said.
Last month a leaked draft of the proposals was published detailing some of the content of the new regime being considered and yet to be finalised.
Reding fleshed out some of the detail that will appear in the new legislative texts during a speech at the Digital Life Design conference in Munich at the weekend. She announced that the new Regulation will contain a "general obligation" that organisations own up to breaches of personal data "without undue delay". She said her interpretation of the phrase meant notifications would have to be made to the individuals concerned and national data protection authorities "within 24 hours".
However, Marc Dautlich said that that timeframe would make it difficult for organisations to communicate everything they would need to.
"The requirement that businesses notify individuals about data breaches ‘without undue delay’ echoes the language of the EU's Privacy and Electronic Communications Directive which governs notification of breaches in the telecoms sector. Whether there is a softening of Reding’s position on the issue, which has been debated furiously by law makers behind-the-scenes at the European Commission, is unclear since Reding’s interpretation that what this phrase means is ‘within 24 hours’ harks back to the inflexible position in the draft Regulations," he said. "How a 24 hour timescale allows organisations to issue meaningful communications to customers is anyone’s guess, particularly when the trigger to such notification is the 'establishment' by the organisation of the personal data breach – a new concept."
"Given the fine proposed under the Regulation for non-compliance with this requirement, data subjects are likely to receive a lot of reports," Dautlich said. "How useful some of these will be is questionable, and as to their collective effect on data subjects – certainly the experience in the US of breach notification has been mixed."
In her speech Reding also confirmed that the proposed Regulation will contain a qualified 'right to be forgotten' for individuals to be able to delete information they have previously given out about themselves. She said that the 'right to be forgotten' was a qualified right that would only apply if there was "no legitimate reason" for data to be kept stored.
"[The right to be forgotten] is the right for an individual to withdraw the consent to the processing of personal data they have given out themselves ... The right to be forgotten is not an absolute one. There are cases where there is a legitimate, legally justified reason to keep the data in the database – the archives of a newspaper is a good example of this. The right to be forgotten cannot amount to a right of the total erasure of history," she said. "Neither must the right to be forgotten take precedence over freedom of expression or freedom of the media. The new EU rules will include explicit provisions that ensure that a respect of freedom of expression and information is preserved."
"I will never compromise in the fight for fundamental rights to freedom of expression and freedom of the media – equally important to the fundamental rights to data protection," she said.
Dautlich said that giving individuals a 'right to be forgotten' would create onerous requirements for some major internet brands.
“The ‘right to be forgotten’ would place huge administrative burdens on web platform businesses, in particular social networks such as Twitter and Facebook," said Dautlich. "The burden would not only extend to removing data from their own servers but going to search engines like Google to remove data from their caches."
"There has been widespread concern at the burdens that the ‘right to be forgotten’ would create, both inside and outside the Commission," said Dautlich. "This is an area where the Commission has been under pressure to relax the requirement so we will have to wait and see."
New rules on consent to personal data processing will be introduced, Reding said. Organisations will have to provide individuals with transparent details about the processing in order to obtain "meaningful" consent from those people, she said. At the moment organisations are generally required to obtain individuals' consent in order to use their personal data.
"People need to be informed about the processing of their data in a simple clear language they can understand," said Reding. "Internet users must be told which data is collected, for what purpose, how long and how it will be stored. They need to know how it might be used by third parties, they must know their rights and to whom they can address if they think their rights have been violated."
"People need to make informed decisions about what to disclose when and to whom. Whenever users give their agreement to the processing of their data this has to be meaningful. People's consent needs to be specific and explicit," Reding said.
Under the new regime businesses will be required to appoint a data protection officer under new requirements that would make them more responsible and accountable for personal data, Reding said. A draft of the Regulation leaked last month suggests that only businesses with more than 250 employees, those based in the public sector and those with "core activities" that involve personal data processing would be required to appoint a data protection officer.
"The accountability requirement, that companies above a certain size and those in the public sector appoint a data protection officer, is an example of a requirement that imposes disproportionate burdens. By applying the rule across all those companies there is not a proper assessment of whether personal data processing-light companies actually need to employ a dedicated person for such a role," he said. "It will be interesting to see whether Viviane Reding has compromised on this requirement."
A uniform application of the new single Regulation will mean that national data protection authorities will be able to carry out investigations, make decisions and issue sanctions for cases that apply across the EU, Reding said. Authorities in the countries in which a company has its "main establishment" will be responsible for taking the actions. Authorities must be politically and economically independent, suitably resourced and will have to work together to make sure they "consistently enforce" the rules, she said.
"It will not matter any more which data protection authority deals with a case because all data protection authorities wherever they are and in whatever EU country they are will have the same adequate tools and powers to enforce EU law. They should be able to deal with complaints, carry out investigations, take binding decisions and if necessary impose effective and dissuasive sanctions. This will give the legislation teeth so that the rules will be properly enforced," Reding said.
The "one-stop-shop" regulatory regime will enable organisations to obtain EU-wide approval for their binding corporate rules (BCRs) from one single national authority, Reding said. BCRs are legally-binding commitments companies draw up over the transfer and processing of personal data outside of the European Economic Area to a country that is not a European Commission pre-approved country. Currently BCRs are assessed on an individual basis by authorities in member states prompting most companies to use simpler European Commission model contractual clauses instead in order to legalise overseas transfers of data.
"To me it seems odd that data held by a European company is adequately protected inside the borders of the EU but not when it transferred to a different part of the same company on another continent. I therefore want to improve the current system of binding corporate rules (BCRs) to make these exchanges less burdensome and more secure," the Justice Commissioner said.
"I will propose a consistent and streamlined approving process with a single point of contact for companies and once BCRs are approved by one data protection authority they will be taken into consideration by all data protection authorities wherever they are," she said. "There should be no further need for additional national authorisation in case of further transfers. As a result the companies will be capable of selling the same goods and services under the same data protection rules to 500 million people – a very interesting business opportunity."
Dautlich said that it was notable that Reding did not mention some of the areas of the new regime in her speech which have previously attracted attention.
"This means we are kept guessing, for example, over where they have ended up on fines. Although Reding touched on the subject of sanctions, there is no elaboration on the level of fines companies could be issued with for not complying with the rules," said Dautlich. "The leaked draft suggested fines of up to 5% of a company’s global turnover could be levied in some circumstances. This would put data protection not far behind competition law sanctions – not conducive to innovation in a financial climate where many businesses are already under significant pressure."
"There is also still a question over certain definitions, such as of ‘personal data’, which will determine the scope of legitimate processing. There would also be concerns amongst many organisations over how much documenting of their data processing they need to do," he said. "The Commission has powers under 'delegated acts' for specifying the criteria and requirements for this documentation. How they balance that power and how they exercise that power should be closely scrutinised by the Council of Ministers and Parliament to ensure it does not adversely impact innovation or organisations with fewer resources."
Reding said that the new regime would eliminate the "patchwork" EU data protection framework that currently exists. She said the current data protection regime lacks legal certainty, is fragmented, burdensome for business, and did not adequately protect individuals in the digital age. The new regime aimed to help businesses reclaim €2.3 billion in costs they currently lose in complying with the current laws, she said.