Last Updated on 25.2.21 by Christian Mancier
Law week saw the release of proposals for reform to Data Protection laws across Europe.
It is nearly 20 years since the last piece of European wide regulation overhauled Data Protection laws (Data Protection Directive 1995) which resulted in the Data Protection Act 1998 coming into force in England and Wales.
Think back to 1995 when only a handful of us was using computers regularly, e-mail was only just getting off the ground, most of us had never used the internet (which at the time carried less than 1% of all telecommunicated information compared to 97% today) and any information stored on a disc was stored (in very limited capacities) on floppy disks. Fast forward to 2012 and we live in an information society where personal data is incredibly valuable (just look at what Facebook, a company built on personal data, is worth), vast amounts of data can be published online and distributed around the world in seconds at the click of a mouse (or tap on a tablet device), individuals are increasingly becoming concerned about the safety of their personal data and not a week goes by without a high profile story of a laptop being stolen or a memory stick being lost containing personal details on thousands (if not millions) of individuals.
Since 1995 technology has advanced immeasurably whereas the Data Protection frame-work has stayed still with issues arising out of technology advances being shoe-horned into a legislative framework that was by no means “future-proof” and never really envisaged such technological reform.
Consequently, the main aim of the proposals to reform the European wide Data Protection landscape concentrates on coming up with a single piece of European wide legislation (rather than 27 disparate pieces of legislation all based around the same European Directive which are more-often-than-not contradictory) which will apply across all member states and provide a clear, strong, uniformed and simplified (let’s wait and see!) approach to Data Protection whilst at the same time protecting individual’s fundamental rights in respect of their personal data.
So what can we expect from the reforms?
Each organisation will have to appoint its own Data Protection Officer who will be responsible for Data Protection within that organisation. This will negate the need for the current system of Notification (where each organisation has to register with the national body responsible for enforcing Data Protection legislation in each member state – The Information Commissioner’s Office in the UK) which will help cut red-tape (and hopefully cost) associated with Data Protection.
For pan-European organisations, they will only have to deal with the Data Protection Authority of the member state in which they have their main establishment rather than having to deal with the Data Protection Authority of each member state within which they operate with each Data Protection Authority having the same powers, tools and remedies available to them to deal with breaches of the new legislation.
The process of transferring data outside of the EEA will be streamlined to reflect the ease with which data can be transferred and the acknowledgement that many larger organisations operate on a global basis and may need to move data around their organisation worldwide.
Transparency will be the name of the game in relation to making sure individuals are clearly told how their data will be used, where they give consent that consent must be meaningful and not generic and individuals will have greater control of, and easier access to, their personal data which may go so far as allowing for an individual to request that all personal data about them held by an organisation to be deleted if there is no legitimate reason for that personal data being retained. This will need to be balanced with situations where there is a legitimate and legally justified reason for personal data to be retained such as newspaper archives etc.
Finally, it is expected that there will be a positive obligation on organisations to notify data protection breaches with those involved with the reform proposals hinting that this may need to be done “within 24 hours” of the breach occurring. This constitutes a massive shift from the current regime where only certain public bodies (government departments and NHS Trusts for example) have to notify the Information Commissioner of breaches. This aspect alone is something that will really make organisations sit up and take notice of the Data Protection framework and what they need to be doing to comply.
It will obviously be some time before the new pan European Data Protection legislation comes into force but businesses should be prepared for it and start gearing up now with internal policies, procedures and best practice to ensure compliance going forward and to make the eventual move over to the new legislation as painless as possible – especially if the current fine maximum of £500,000 for non-compliance remains in force as part of the reforms.