Data protection: tighter rules on the way in 2011?
The European Commission last month announced plans to overhaul data protection legislation. The aim of the new legislation is to strengthen the rights of individuals and to ensure that data protection rules are more consistently enforced. However, the current proposals are likely to place an increased burden on data controllers who could face greater penalties for non-compliance.
In its discussion document, A comprehensive approach on personal data protection in the European Union (PDF), the Commission states that the revision process is intended to address a number of “specific challenges”:
- the impact of new technologies;
- the need for increased data protection harmonisation and legal coherence within the EU;
- simplifying the law on international transfers of data; and
- stronger enforcement and an enhanced role for national data protection authorities.
The overriding aim is:
to protect the fundamental rights of natural persons and in particular their right to protection of personal data.
The discussion document then sets out a number of ways in which these challenges can be addressed in order to accomplish that aim. Some of the key ones for businesses are:
- Increasing transparency, especially in privacy policies and as regards children. This could include standard forms of privacy notice.
- Mandatory notification of personal data breaches.
- Increased rights for individuals to have their data deleted (the “right to be forgotten”) and to withdraw their data from a service provider’s systems (“data portability”).
- “Clarifying and strengthening” the rules on consent to data processing, in order to ensure that truly “informed consent” is given for processing.
- Adding new categories of “sensitive” data, such as genetic data.
- A requirement for “Privacy by Design” covering the design, deployment, use and disposal of technologies.
Observers have pointed out a number of areas of potential difficulty. The “right to be forgotten”, for example, seems on the face of it to contain a contradiction – because companies would need to keep lists of people they were required to have “forgotten”. More pertinently, data may refer to more than one person: where you and I both feature in a group photograph on Facebook, your “right to be forgotten” may conflict with my wish for the photograph to remain available.
Similarly, it is difficult for data controllers to know they have been given “informed consent” for processing without a certain amount of information already being retained and processed about an individual. It also seems doubtful whether standard forms of privacy notice could cover the limitless variety of different ways in which personal data is used.
Current data protection law is far from ideal, and so an overhaul is to be expected. However, the track record on EU legislation in this area will leave many businesses concerned as to the impact of any changes. The Commission document refers to “the fundamental rights of natural persons”, but (apart from references to “enhancing the internal market dimension of data protection) says little or nothing about the role of data processing in encouraging business activity and economic growth. Some of the proposals floated in the document, such as requirements for “informed consent” and the “right to be forgotten”, could present considerable administrative challenges to data controllers.
From a UK perspective, moves to increase “harmonisation” and “coherence” for data protection are likely to mean a considerable tightening up of the law. To date the UK has tended to take a more relaxed view towards data protection issues than some other EU jurisdictions, for example in allowing “implied consent” for processing where others require explicit consent in writing.
The Commission is inviting responses to its discussion document in a consultation period closing on 15 January 2011, and draft legislation is then expected some time during 2011. It remains to be seen what form this will take, but companies whose business is based heavily on data processing will want to keep a close eye on developments over the next twelve months.