June 13, 2012

One size fits all

The new law will be one which has, in the language of the EU, direct effect, meaning that unlike in the case of the last data privacy legislation all EU countries must adopt the specifics of the proposed rules with no variation. The resulting business certainty will no doubt be good for all concerned: 27 different sets of data privacy rules will become one, with obvious benefits. However, what is also clear is that those rules will potentially put a much greater burden on organisations handling personal data.

Enforced amnesia

EU citizens will have the ‘right to be forgotten’. Much-vaunted by the Commission, but likely to be a considerable burden to businesses, an individual will be able to require a data controller to erase all personal data relating to them and to stop further ‘dissemination’ of that data. If the controller itself has ‘made the data public’, it will also have to inform third parties that are processing the personal data that the individual wants them to remove any links or copies of that data.

Easy come, easy go

There is also a new right of ‘data portability’ which is intended to allow individuals to move, or copy, their personal data quickly and easily from one controller to another. The proposals refer to the data being packaged in a ‘commonly used format’ but the detail is vague.

Mea culpa

Another big change: organisations will have to own up to the data protection authority, the ICO here, to a breach within 24 hours of becoming aware of it. Any breach, whether serious or not. Processors (for example third party marketing companies) will have to tell controllers immediately after a breach is discovered. If the breach is ‘likely to adversely affect’ the protection of the data, the individuals concerned will have to be notified too ‘without undue delay’ – the ICO will be able to require you to tell individuals if it disagrees with your decision not to. 

Hello officer

All public authorities, ‘enterprises’ (any entity engaged in commercial activity) that employ over 250 staff, and organisations where processing requires ‘regular and systematic monitoring of data subjects’ will be required to appoint a data protection officer and provide all resources necessary to carry out his/her duties.

Protection sans frontières

The Commission has made a big play of the fact that the proposed regulation will apply to organisations based outside the EU if they offer goods or services in the EU or monitor the online behaviour of EU citizens. Quite how this will be enforced remains a mystery – the regulation makes no mention of data protection marshals patrolling the globe.

Show me the money

The rhetoric meets reality, however, in terms of the teeth that the ICO will be given to enforce the new rules. If an enterprise fails to put in place procedures to deal with requests from individuals for access to their data or tries to charge for access it could be fined up to €250,000 or 0.5% of its annual worldwide turnover. If it fails to provide access to the data the fine could be up to €500,000 or 1% of its annual worldwide turnover. The same fine applies if an enterprise does not comply with the right to be forgotten and even if it does not maintain proper records of all data processing operations it carries out. It doesn’t stop there: a fine of up to €1,000,000 or 2% of annual worldwide turnover can be imposed for 15 different types of breaches, notably the failure to report a breach, failure to appoint a data protection officer, and having inadequate technical and organisation measures to ensure the security of data.

For all enquiries on this subject or any other data privacy related issue please contact Phil Gorski on +44 (0)207 927 9687 or Jason Chess on +44 (0)207 612 9612.