Data Protection: Regime Change
27 January 2012
The proposed changes, if passed into law, would represent a fundamental change in how businesses process personal data. They will represent nothing less than an overhaul of the current data protection regime.
Assuming the proposed reforms are adopted, many of the changes will not take effect until (we estimate) late 2014. This gives businesses a reasonable period of time to explore how to integrate the changes in law into their operations with minimum disruption. Of course, significant lobbying by interest groups is likely to now occur even though the measures were published after a long public consultation.
What are the key points?
- A single European Regulatory framework is proposed which will involve the repealing of the 1995 Directive and its replacement with a Regulation which will be automatically effective in all EU member states. This means member states will not need to implement their own laws to transpose the new measures. This is significant and aimed at ensuring that the same law applies across the EU in this area rather than the current position where the laws of member states can differ in a number of respects. However this is not likely to be easily achieved given that the regulators of each member state may adopt different interpretations of the new law.
- Increased fines (on a sliding scale of up to one million euro or up to 2% of a company’s global turnover in serious cases) will be available to national regulators. Even for businesses which had feared that a 5% fine was in the pipeline, this is clearly a game-changing provision aimed at ensuring data protection compliance is taken seriously.
- The introduction of a new “right to be forgotten”, which will be of particular interest in the social media sphere but is not limited to that area. If a customer contacts you to ask you to remove their details from your database, you will be obliged to do so unless you have a legitimate reason to retain their data. This is likely to be one of the most controversial aspects of the regulation and will be the subject of much lobbying.
- The introduction of a “right to data portability” for data subjects. This will mean customers must be able to receive data from businesses in a way that allows them to move it freely, for example in a commonly used format such as PDF. This no doubt will impact on suppliers of cloud computing services amongst others.
- Businesses with more than 250 employees (and some others on an exceptional basis) will be obliged to appoint a Data Protection Officer for a minimum two year term. They will also be obliged to resource that person to enable them to carry out their functions. Again, this is likely to attract a great deal of attention by lobbyists given the cost of compliance.
- Companies will only need to deal with a single data protection regulatory authority in the member state in which they have their main establishment. For many FDI technology companies, where Ireland is their EMEA headquarters, this will be Ireland.
- Rules on consent will be considerably enhanced with few opportunities for data controllers to rely on implied consent. This aspect of the changes has already attracted criticism as, while it is a truism that consent is key to data protection compliance, consumers often express frustration at being repeatedly asked for consent in their interactions with businesses. Conducting business online and electronically will become less dynamic and more cumbersome in the absence of implied consent.
- Introduction of a mandatory security breach notification (possibly within 24 hours of becoming aware that a breach has occurred). Anyone who has ever been involved in a large scale security breach will find this to be extremely onerous. In many cases, several days can elapse while even the scope and extent of the breach is being determined.
- Introduction of a “privacy by design” principle, under which data protection safeguards must be taken into account at the planning stage when companies are designing products and services. Systems currently in design will need to be future-proofed to ensure they meet the requirements of the new regime, taking account of the new rights such as the “right to be forgotten” and “data portability”.
Data protection law is about to undergo the most fundamental change in 15 years. If you regard personal data as a key driver for your business, or if your business holds a significant amount of personal data, you should start considering whether you need to change existing data protection policies and procedures. You will also need to consider how to design and futureproof products and services to ensure compliance with the new rules.
Mason Hayes & Curran has one of the largest teams of data protection lawyers in Ireland, and we have advised on some of the most important data protection matters which have arisen in the State in recent years. On a daily basis we address key data protection concerns for our clients, many of which were keenly awaiting the announcement of these new draft measures after leaks of the proposals emerged in December 2011.
To view this article as an ezine, please click here.
The content of this article is provided for information purposes only and does not constitute legal or other advice. Mason Hayes & Curran (www.mhc.ie) is a leading business law firm with offices in Dublin, London and New York. © Copyright Mason Hayes & Curran 2012. All rights reserved.