Bursting the Bubble

A Byte of EU Data Protection

30 October 2013 | by

In the age of internet, no longer is it necessary to follow someone’s paper trail, for if one has the digital know-how, the quantity of data that can be obtained is, quite simply, shocking. The world is at your fingertips.

Admittedly, we have become fairly reliant upon technology and for the most part it does enrich our lives. However, concern is derived from how these technologies can be abused. The abuses that concern policy makers in the EU, as well as the rest of the world, are those which serve to violate the rights of the person – specifically privacy.

While the data technology in each EU member state developed at different rates, across the board data protection came to light in the early 1970s amidst rumours of national authorities using individual technology trails to identify potential home-grown terrorists or criminal types, the beginning of the unseen ‘big brother’ using technology to its advantage for societal ‘control’. With fractitious atmospheres in many European nations, such as the UK and Germany, citizen groups pressed for protection. As such, the first national data protection law in the world was passed in the federal state of Hesse (Germany) during 1970.

As globalization and technological advancements continued, national authorities saw the need for cooperation to both protect, as well as share technically derived data. This is what led to the 1995 Directive (95/46/EC) as well as the establishment of the EDPS in 2004, which has the main tasks of supervision, consultation and cooperation facilitation. However, despite this ‘cooperation’ every member state currently maintains a separate system of data protection and in some, such as Germany, there are several different systems. As the rights of the person concerning technically derived data has risen in priority, it is important to separate the current draft regulation concerning EU Data Protection from the recent revelations of U.S. actions. The concentration here shall be the draft regulation concerning EU Data Protection. As a regulation instead of a directive, when passed, the new policy will be directly applicable to all EU member states, as well as EEA states in this case, without national legislation completing implementation.

For most, the need for Data Protection is obvious, but how will this new regulation impact you, and will it really keep your data safe? Here are some highlights of differences that will be seen with the new regulation.

Increased Scope – Now, not only will EU data policy apply to data controllers, but will also be applicable to data processors in the EU, as well as those established outside the EU that offer goods or services to data subjects in the EU. Ideally, this means that there will not be loopholes in the protection mechanisms for EU data subjects. The potential risk here is that those established outside the EU will choose to forgo data involvement in the EEA as a result of having more ‘hoops to jump through’ in order to offer goods or services to EU citizens. Yet the regulation recognizes (Articles 80-84) that there are special processing procedures for journalistic purposes, health purposes, employment, research purposes, professional secrecy, and public interest.

Auditing for Data Controllers and Processors – For IT auditors, the new regulation may present some opportunities since data controllers, as well as processors, will be required to prove compliance with the required internal policies and mechanisms (Article 25). While this is done ‘behind the scenes’, what the rest of us will likely see is an increase in paperwork from processors or controllers wishing to ensure that they are in full compliance.

New Data Protection Officers – Entities that are public sector bodies, private sector businesses with 250 plus employees or businesses whose main activities revolve around monitoring data subjects will now be required to have Data Protection Officers in charge of ensuring compliance and being the liaison for national data protection authorities (Article 32-34). While previously business entrepreneurs may have taken to online businesses to reduce costs, this and other new requirements may reduce that likelihood due to the increase in the cost of doing business.

Data Subject Rights – Undeniably, the rights of a data subject will increase under the new regulation (Article 12-18), but whether the public will view this with a sigh of relief or a sigh of annoyance is yet to be seen. While the individual will be able to transfer data without hassle, all matters impacting their data must be transparent, written out, and acknowledged by the data subject. This may lead to numerous screens of check boxes, leading to data subject disengagement. [Read Farah Coppola’s Article]

International Data Transfers – The current draft contains an exemption for the ban on exporting personal data from the EEA (Article 37-44). While this must be in the legitimate interests of the data controller or processor, one hopes that the required protection of the data while being exported will be upheld wherever it may be exported to. Otherwise, the regulation does seem to provide a loophole through which data could be exported and then misused by a third-party recipient of the data.

Security Breaches – In the 1995 Directive, controllers or processors were not required to notify national data protection authorities of security breaches. Now they are required to do so within 72 hours (Article 27-29). Given the vast number of controllers/processors that have the average person’s data, and the number of hackers who regularly get temporary access to even small-scale systems, notification of all levels of security breaches may be overwhelming to data protection authority personnel.

Court Action – Now data subjects wanting to bring forth cases of non-compliance to data protection standards can bring these forth in their own EU country of residence, or where the defendant is established. Also in this regards, if data is requested from a court in a third-party country, authorization must be granted by the supervisory authority before data can be released. (Article 42)

Having been exposed to high levels of technological engineering, programming, and security throughout my life, I still ponder if technologically derived data can ever be fully secure.I do believe that given the level of integration throughout EU and EEA states, it is necessary to streamline the protection standards. However, there must be a balance. In a way, securing data reminds me of a mother wrapping her child in bubble wrap to protect them from the world, only to realize that the child will not be able to run and play. There is a fine line between sufficient protection and over protection which could prove a hindrance to EU objectives of achieving a single digital economy, and the reduction of red tape for business endeavours.

01001001 01110011 00100000 01111001 01101111 01110101 01110010 00100000 01101001 01101110 01100110 01101111 01110010 01101101 01100001 01110100 01101001 01101111 01101110 00100000 01110010 01100101 01100001 01101100 01101100 01111001 00100000 01110011 01100001 01100110 01100101 00111111

4 Comments

  1. This is fantastic. Thanks so much. Great to have a piece that goes over what the difference is between what is currently in place and what will be in place if it all goes through. Since I am not as tech savy as the author here, i am glad main changes are explained, though I am sure things will be modified up to the moment it is finalized. Brilliant piece, love the binary part at the end.

  2. This loophole you have identified regarding exportation of data from the EU to a third party is a bit worrisome. I am not sure that there is an actual solution which would be able to close the hole. While we can protect EU data subjects using the bubble wrap of protection policies when the data is in the EEA, and while it is being packaged up/ exported to a third party, once it is in the hands of the third party there is no way that we can ensure that the privacy of EU data subjects is maintained. Even though there is a principle of approval for turning data over, and the EU may ask for a promise that the third party will treat the data as if it was still under EU protection – that is a bark without a bite. Yet, I have no desire for us to become a true fortress Europe and completely restrict the exportation of data to third. Your logic that data, once out in the technical realm may be impossible to fully secure seems accurate. Like I tell my children, just be aware of what you are putting out there, since once it is out there who knows what is can be used for. The EU should have a general framework of Data protection, but people cannot rely on this for fully securing their data from all threats – from a third party or from a benign hacker.

  3. OMG – I just realized the 1’s and 0’s are binary… GENIUS! To answer your binary question – No, I do not think so

  4. Love this! Combines policy/ legal knowledge with knowledge of technical reality. Encoding a message in binary at the end is the ‘cherry at the top’.

What do you think?