In November, the European Union voted to overhaul the Data Protection regime. What does it mean for you and your business? This is part one in a series of looking at how Data protection requirements are set to affect businesses and advertisers in the UK.
The proposal for a regulation for the processing personal data is long and complicated. Considering the various stakeholders with interests in reforming the act, it is no wonder that the regulation consists of eleven chapters and 91 articles. The Proposed Regulation (hereafter Regulation) will likely serve as a model for other regions of the world and have extraterritorial effects on data controllers located outside of the European Union.
Sensitive information is being shared every second, and while there are security practices in place, Edward Snowden’s revelations about the depth of the NSA surveillance program enlightens us about how unsecure sensitive information is in the hands of business and governments. Once data has entered the web, the sender has completely lost control over that information. Increased attention has also been given to privacy legislation globally and the reform of the EU data protection legal framework following the recent revelations of access to private data for law enforcement purposes.
In response to the challenges of cyberspace, the European parliament has come up with the proposed regulation which is to replace Directive 95/46/EC 1995. It is noteworthy that the proposed regulation includes the provision to change the definition of a ‘data subject’ (to mean an identified or identifiable person by means likely to be used); and the new and improved ‘right to be forgotten’.
The right to be forgotten provides the legal framework so that individuals can ask for their personal data to be deleted. Furthermore, when there are no legitimate grounds for retaining it, the data subject can demand that the data controller delete any data on the data subject. It also contains the right of data portability which is a requirement for consent to be given explicitly by individuals when it is required for certain types of data processing.
The proposed regulation also introduces data protection officers for companies with over 250 employees as well as a requirement to conduct data protection impact assessments. Organisations are required to report data breaches without undue delay and where feasible within 24 hours. In other words, large companies are going to have to step up their game when it comes to data protection.
This all comes at the back of concerns privacy advocates have about the actual way data is used by data controllers and the naivety that normal people have when it comes to turning over personal data to businesses and advertisers. Even when individuals legally consent the processing of their personal data, it is highly unlikely that they understand the real implication of the very consent that they have just given in the terms and conditions of the contract with the supplier. Furthermore, controllers, to the extent to which this rule of data minimization is applied, rely on the discretion of the companies that hold the data and the scarce resources that has been applied for its enforcement.
The Proposal Regulation also places on the burden of proof on data controllers to prove whether the processing of the data falls in the listed exceptions. As a result, the right to be forgotten can be asserted against search engines such as Google and Yahoo that link to content. It is likely that these companies and the monetary penalties that come with non-compliance will opt for opt for deletion of personal data, even in ambiguous cases, rather than justify the application of an exception. Yahoo and Google could transform into major censors of otherwise legal content.
However, because of the recent revelations concerning access to company data by law enforcement agencies, it is expected that EU institutions will now look very carefully into these rules with the risks of creating an even more restrictive framework for data transfers outside of the European Union. In particular, some consensus is currently emerging in Brussels regarding the insertion of a clause that would prohibit the disclosure of personal data to foreign governments without the authorization of the competent data protection authority in the European Union.