The future for data protection in Europe has finally arrived in the form of an EU Data Protection Regulation. Taking the stage after being leaked onto the virtual world, the new law will modernise the EU Data Protection Directive of 1995 in the form of a directly applicable Regulation. The European Commission presented this proposal in January 2012 and it is a good initiative for the digital world we’re living in, where we rely on a continuous connection to the Internet. The Commission stated that this reform will help companies get the most out of the Digital Single Market and that it will foster economic growth, innovation and job creation. However, questions arise when we think about how realistic these ambitious perspectives are.
The proposal has several provisions to strengthen citizens’ rights. One important new rule is “the right to data portability”. This gives consumers the ability to transfer their personal data from one service provider to another more easily, which means that you can download all the data that a company, for example Facebook, has about you. Another important clause is the “right to be forgotten”, which allows you to demand organisations to delete your data if there are no legitimate grounds for retaining it. So, it will definitely strengthen the rights of citizens of having their data protected. But what will the new legislation mean for European businesses? One of the Commissions objectives is “eliminating unnecessary costs and reducing administrative burdens for businesses”. However, compliance with the new regulation will impose a number of costs on businesses. The Commission proposal is overly prescriptive and detailed in a way that creates more administrative burdens and compliance costs for companies without a proportionate privacy benefit. In this way, it discourages digital innovation and competitiveness.
First of all, firms will have the obligation to carry out an impact assessment (DPIA), which can be very costly. For example, the regulation obliges a mandatory impact assessment where processing operations represent specific risk. Such an assessment could only be useful where organisations have the flexibility to tailor the assessment to their organisations’ processes. Secondly, companies will be obliged to maintain documentation of all processing operations, which will create substantial costs with no commensurate benefit. Instead of creating more paperwork, the Commission should focus on creating added value and jobs. Thirdly, firms will have to appoint a data protection Officer (DPO). This obligation will apply to firms with 250 or more employees and firms whose core activity is the monitoring of citizens. Another major challenge is the obligation to notify the supervisory bodies about data breaches within 24 hours. Firms who fail to comply with this notification risk fines of 1% of their global annual turnover, which is an extremely high figure. In addition, companies will have to develop new data management systems and procedures for data protection.
It also might be difficult for companies to comply with the “right to be forgotten”. Deleting certain data could damage other data. In practical terms it is difficult to go into a vast store of data and delete them in a granular way without damaging other data. Today, information is not simply held in a series of emails or a recording of a phone call, but in a structured database, which makes it very hard to ensure complete deletion. A corporate archive might be in a format that cannot be edited.
The current situation is that more than 3000 amendments have been tabled to the proposed legislation. As a result, the rapporteur Jan Albrecht (Greens-EFA, Germany) decided to postpone the vote in the EP Committee on Civil Liberties (LIBE) from April to the 29th/30th May.
Personally, I welcome the Commission’s initiative. I want to have the possibility to remove my information from, for example, Facebook and at the same time be sure that my information isn’t “flowing somewhere”. However, I do have doubts whether this reform will lead to the economic and employment boost that the Commission has thus far promised.