I thought I would devote a blog to answer the following question: “What would I say, if a manager asked me what were the key changes to the data protection regime as a result of the Regulation?”. So please use/amend the text for this purpose if need be. Note the blog is only about the Regulation:– not the law enforcement elements where there is a separate Directive also published today.
The first point to make is that a Regulation has to be followed by Member States whilst a Directive has to be implemented by Member States. In theory, a Regulation means that the whole European Union follows the same set of data protection rules instead of, as in the case of Directive 95/46/EC, many diverse implementations. See the Regulation as the “Lord of the Rings” approach towards data protection harmonisation in all Member States: “One Regulation to rule them all, and in its interpretation bind them”.
Such harmonisation, so the theory goes, has immediate effects. Data protection authority rulings in one jurisdiction is likely to apply in another; rights in one country are standardised in another; if one data protection authority accepts a set of Binding Corporate Rules, then every data protection authority can accept them. Immediately you can also see that because of this standardisation, there will be stronger co-operation and knowledge transfers between data protection authorities. Overseas businesses trading personal data with Europe operate in a standardised environment and vice-versa (notice I did not say “easier”).
Codes of practice become more important. If one data protection authority produces a code of practice it can be more or less adopted in other countries.
The Regulation identifies fines that “shall be levied” (no flexibility here) if an intentional or negligent breach on the part of a data controller is identified; there are different fine maximums for different transgressions – so you need to look at the detail. However, fines can range from 100 Euros to 1,000,000 Euros (or 2% of annual turnover if a commercial enterprise is involved). Now no doubt the 2% figure will get the headlines:– but to exceed the 1,000,000 Euro maximum, the turnover has to be 50,000,000 Euros (or about £42 million).
As you know, the UK has a maximum monetary penalty fine of £500,000 (about 600,000 Euros – say); if £500,000 represents 2% of turnover, then the total turnover is £25 million (30,000,000 Euros). So what you can say that is for a private sector data controller the maximum fine level could actually decrease if turnover is less than £25 million but increase to 2% of turnover if over £25 million (stress maximum please – don’t follow the hype). For a public sector body data controller the maximum fine is about two thirds bigger (£830,000).
As an aside, the maximum fine could actually decrease for most SMEs. Take the ACS Law Ltd case, where the civil liberties lobby argued for a £500,000 fine. The turnover for ACS Law, (as found on the internet) was about £1 million, so the maximum fine levied at 2% is £12,500; a far cry from the aspirations of “les sans-culottes” of the privacy movement.
If the turnover is zero (e.g. the firm folds business), then the fine is zero. Also, I have no idea what happens if the Euro-zone collapses or the Euro survives to become stronger that the pound sterling. I assume the Commission will fix a nominal exchange rate for non Euro Member States at the time the Regulation is agreed.
All marketing by personal data has to have data subject consent. Does this mean the death of “opt-out”? I am not sure about this to be honest, but the definition of consent has been strengthened to be “explicit” consent (i.e. the current Schedule 3 standard for consent). So if your “opt-out” statement at the moment just passes the “consent” threshold under the Data Protection Act, I would assume that it may be unreliable under the new regime.
I also think “explicit consent” with an “opt-out” box returned by the data subject has, at the very least, to be very prominent, include the mode of marketing (e.g. post, email) and has to be more detailed in the items of personal data are used for marketing and who does the marketing (e.g. “The name and address you have provided .....” instead of “The information you have provided...”).
I think you can safely alert marketing people to this kind of change, but leave the detail until the Regulation is actually adopted. I should add that there is a whole Article devoted to strengthening “consent” (e.g. consent shall not be valid if there is a significant imbalance between the position of the data subject and the controller).
Security of processing is an example of where implicit obligations currently under the Seventh Principle become formalised and explicit. For instance, if there is a data loss, this has to be notified to the Commissioner within 24 hrs. This notification includes the nature of the personal data lost, categories and number of data subjects concerned, the categories and number of data records concerned, possible adverse effects of the personal data breach and the measures proposed or taken by the controller to address the personal data breach. Processors have to notify the controller immediately a data loss is confirmed.
Registration (or notification) with the Commissioner is being abolished, and because of that, the data protection authority knows nothing about a data controller. So there are stronger and more immediate powers for regulator to find out what is going on and force data controllers to comply or to halt the processing.
The general assumption is that data controllers are doing the “right thing”; this means, of course, that when the data protection authority knocks on the door, you have to make available records of compliance which must contain certain elements. Some of these were the subject of registration (e.g. the name and contact details of the controller, or any joint controller or processor, and of the representative; the name and contact details of the data protection officer, if any; the purposes of the processing, including the legitimate interests pursued by the controller; description of the category or categories of data subjects and of the personal data or categories of data relating to them; the recipients or categories of recipients of the personal data, including the controllers to whom personal data are disclosed for the legitimate interest pursued by them).
So in practice notification to the UK’s Information Commissioner is replaced by the data controller keeping the registration/notification detail as well as other items (which for a public authority, can be subject to FOI requests!). So when the European Commission say “notification is gone”, it is a statement that is arguably “economic with the truth”. The expense of collecting these details is still there; what’s gone is the £35/£500 fee.
The data controller also has to keep further documentation about data protection compliance (e.g. policies, procedures), implementing the data security requirements, performing a data protection impact assessment. Large data controllers (more than 250 employees) have to designate a data protection officer. I would say that this data protection officer has to be fully trained (but I have to admit this sentence reads like a marketing “Mandy Rice-Davies” moment: “well he would say that, wouldn't he?").
Privacy Impact Assessments (PIA) and Privacy by Design become mandatory (e.g. PIA for CCTV of public spaces, use of biometrics, children data – child is under 18 by the way). Privacy by Design techniques have to be considered (although in our PIA course I show that these are an implicit consequence of the Seventh Principle in relation to keeping up to date with the “state of technology”).
Data Processors are given some explicit obligations, obligations which they should be implicitly carrying out contractually already. For instance, act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited; employ only staff who have committed themselves to confidentiality or are under a statutory obligation of confidentiality; or subcontract only with the prior permission of the controller.
The current rights of data subjects are more or less the same but there is more detail to be provided on subject access (e.g. about retention times and information about new rights). There is a right to get the personal data corrected by the data controller – currently this right only relates to the Court or implicitly via the Fourth Principle which deals with accuracy) and the right to object includes profiling.
There is a new right to be forgotten – which effectively only applies if the processing is already underway with data subject consent (new definition remember). If the “forget me” right is successfully applied, then third parties who have given the personal data by the data controller have to be notified if reasonably practicable.
However there are a number of exemptions (e.g. when a data controller needs proof of some action, research, when freedoms of speech issues are raised, or when personal data about other individuals are present, or where the accuracy of personal data are contested). In some circumstances, “removal” rather than “deletion” is legitimate. So don’t panic at this right (at the moment).
There is a right to portability of personal data. For instance where personal data are processed by electronic means in a commonly used format, the data subject can obtain a copy of those data in that format. Where the data subject has provided the personal data and the processing is based on consent or by a contract, the data subject is given the right to transmit those personal data without hindrance from the controller from whom the personal data are being withdrawn. This clearly overlaps with the right of access, but is limited to ‘consent’ and the ‘electronic commonly used format’ subset of the personal data held by the data controller.
If you are interested in Binding Corporate Rules, then there are provisions that make them function properly (once accepted by a data protection authority). There are more definitions (e.g. “child”, “genetic data” which becomes an item of Sensitive Personal Data).
A great deal of the Directive is given over to things that should not worry data controllers (e.g. ensuring the data protection authority is fit for purpose, having a pan-European Data Protection Board that can be empowered ensure consistency of the data protection rules across Europe, and the inevitable minutiae concerning the dark arts of internal EU Committology).
My own view? I think many Member States will oppose this Proposal because of the current economic circumstances and because it is far more prescriptive than the Directive it replaces. It is not a simplification; it is a more prescriptive complication that many will argue increases the burdens on business. The Regulation is OK for large organisations, for SMEs I suspect it will be overkill. If the Council of Ministers do eventually agree the Proposal, I suspect that it will be a different text and a longer lead in time, currently set at two years.
So at a hunch – we are looking at three years down the line (at least).
Download the regulation here (61 pages) Download Regulation_DP_jan2012
Our Update session on March 26th has half a day devoted to this. (London; £195+VAT; details on www.amberhawk.com (events and update) or top left of blog). As well as a guest speaker from the ICO on the Regulation, we have sessions on:
• What are changes in the Definitions
• What are changes in the Principles
• What are changes in the Rights
• What are changes in the Enforcement and other odds and end?