Human rights is a cornerstone of the European parliament's legal approach, with the right to privacy and the protection of personal data, regarded as a fundamental right for every EU citizen. For years European MPs have sort to introduce tighter privacy and data protection laws, however the global banking crisis and subsequent recession had delayed any action. Commercial concerns in tying European businesses up with too much red tape as they fight to take Europe out of one of the worst recessions in living memory, has taken precedence over digital privacy concerns. But post the Snowden revelations and thanks to the privacy crusading Viviane Reding (Vice-President of the EU Commission), Euro MPs are finally pushed through a huge raft of changes in EU data protection legislation, impacting not only businesses within European Union countries, but any business processing EU Citizen personal information, anywhere in the world.
Following a European Parliament vote on 12th March 2014, the new EU data protection reform has become irreversible. The voting was resounding in favour of adoption, with a massive 621 votes in favour, 10 against and 22 abstentions. The new law now is set in stone, no matter what happens in the EU elections in May 2014. There will be an EU meeting in June 2014, which will set about its adoption by EU members, and with all companies supplying goods and services to EU consumers. It is expected to be passed into actual law in 2016. These data protection changes will be hugely significant and will be problematic for all businesses, so there is no time to dilly-dally in starting preparation to comply.
New EU Relation Key Changes (in Plain English)
Regulation, not a Directive
The current EU Data Protection Law is a Directive, a directive can be open to some interpretation by member states, countries can bend the requirements as they adopt it into their country's law, and not enforce the law to the same extent as other member states. However the new EU DP law is a regulation, a "so it is written, so it shall be done" approach, no leeway at all, everyone has to follow the same rules exactly.
1. Data Breach Notification
All Data Controllers must notify ALL breaches of personal data to the Data Protection Authority within 72 hours.
2. Data Breach Sanctions
A number of new sanctions are available against companies that breach personal data, which include the issuing of a warning letter and enforcing periodic data protection audits, but the real game changer are the new financial penalties, which go well beyond the up to maximum £500K fines that can be issued by UK's Information Commissioners Office (ICO) under the current DPA law.
The new fines are up to 100m EUR or up to 5% of annual worldwide turnover in case of an enterprise, whichever is greater.
Also there the new regulations opens the possibility of individuals and associations, in taking legal action against companies responsible for breaching their personal information. I can just see the cheesy 'Data Breach Lawyers for You' adverts.
3. The Right to be Forgotten
This means personal data must be fully deleted upon request by an individual. This could be a real problem for cloud services that host personal data, but for most businesses this requirement will require significant changes, which include new business processes to handle requests in a timely fashion, and a technical capability within IT systems to remove an individual's data. I can also see deleting personal data from backup tapes is going to be a real issue.
Obviously government and some regulated personal data will not be subject to the 'right to be forgotten' regulation. For example where there is regulatory or legal requirements to keep the personal data, so criminals and bad debtors just can't have their criminal records and bad credit history removed upon request using the law. This new privacy law is aimed at the likes of Facebook, Google and big ecommerce websites, to ensure they adequately remove personal information upon request.
4. Individual Consent
Explicit consent must be obtained from individuals in order to store and/or process their personal data. Data controllers must be able to prove consent has been obtained. This new requirement could prove painful for some businesses to adopt.
5. The Data Protection Officer Role
Where a business processes more 5,000 records of personal data (the vast majority of businesses I would say), then the business must appointment a Data Protection Officer, who has responsibility to ensure all personal data is managed by the business in compliance with the law.
6. Personal Data Portability
Individuals upon request must be given a copy of personal data in a format usable for transfer to another processing system. For example if you were to change ISPs or energy suppliers, or your bank, the supplier you are leaving must provide your personal data in an acceptable ready to read format to the supplier that you are moving to.
The will mean businesses will require new processes and a technical capability to achieve.
7. Data Processor Liability Shift
Data Processors, who currently hide behind data controllers that have the lion share of the data protection liability, will be held jointly liable under the incoming new EU Data Protection regulations. So that cloud service provider now comes directly in firing line of sanctions, not just their customers that uses their service.