After years of debate, it looks like the European Union is to bring in a new data protection law, that the UK will have to follow; though not just yet.
In the UK, the regulator, Christopher Graham, the Information Commissioner said that a new law will remind people of their data protection rights, and remind organisations of their data protection responsibilities. “That can only be welcomed.”
The new regulation, he said, contains a great deal of compliance detail that isn’t in the current law. “But there is no doubt that the best preparation for an organisation is to comply with the current law – there are many parts of the new legislation that won’t be that new to us.” Visit www.ico.org.uk.
There’s no hurry to act; it will be put to a vote by Parliament as a whole in the new year; then member states will have two years to transpose the provisions of the directive into their national laws. The regulation, to apply directly in all member states, will also take effect after two years.
The two draft laws – a regulation and a directive – were being passed at the EU in December. Inevitably in the EU, it’s taken the European Parliament and Council ages to agree, and it’s meant compromises. The parliament’s lead MEP on the regulation Jan Philipp Albrecht (a German Green) said: “In future, firms breaching EU data protection rules could be fined as much as 4pc of annual turnover – for global internet companies in particular, this could amount to billions. In addition, companies will also have to appoint a data protection officer if they process sensitive data on a large scale or collect information on many consumers.”
He added: “The regulation returns control over citizens’ personal data to citizens. Companies will not be allowed to divulge information that they have received for a particular purpose without the permission of the person concerned. Consumers will have to give their explicit consent to the use of their data. Unfortunately, member states could not agree to set a 13-year age limit for parental consent for children to use social media such as Facebook or Instagram. Instead, member states will now be free to set their own limits between 13 and 16 years.”
Among the inevitable compromises: how to balance data protection across the EU – all member states agreeing – for security of citizens’ personal and private data, while also creating clarity and legal certainty for businesses, that also want to compete in the digital – and global – market.
Comment
At the IT security product company Symantec, Ilias Chantzos, Senior Director, Government Affairs and Privacy, EMEA, said: “After a lengthy negotiation the text is a strong platform that regulates industry and protects consumers. Consumer behaviour has evolved considerably in the three years this legislation has taken to come to fruition. Symantec’s 2015 State of Privacy Report shows that 57 per cent of European consumers are worried their data is not safe, with 59 per cent stating they have experienced a data protection issue in the past.
“Data protection and data governance has evolved to become a priority for consumers and industry. Consumer online behaviour changes as consumers become more sensitive on how industry uses their data. As issues around data loss, theft or surveillance continue to be highlighted in the media, data protection now represents a significant concern for European consumers and companies. Symantec’s recent State of Privacy Report reveals that data security is a strong commerce driver for 88 percent of shoppers and ranks as high as selection and customer service when consumers decide where to shop.”
“Businesses need to be more transparent with customers on how they use and protect data. Security needs to be embedded into a company’s value chain by design. It should also be viewed internally as a customer-winning requirement, and not just a cost.”
Data transfers for policing
With the November 13 terrorist attacks on Paris in mind, and as a sign of how wide-ranging data law is, the EU politicians in their new draft directive also had to balance data transfers for policing and judicial purposes by national law enforcement bodies around the EU, with civic freedoms and the right to privacy.
Parliament’ lead MEP on the draft directive Marju Lauristin (S&D, Estonia) said after agreement was reached: “It is of the utmost importance, especially after the Paris attacks, to enhance police cooperation and exchange of law enforcement data. I am very confident that this law will offer the right balance between safeguarding citizen’s fundamental rights and increasing the effectiveness of police cooperation throughout the Union.”
The directive will be the first to harmonise 28 countries’ law enforcement systems with respect to exchanging data – also within each member state. EU countries may set higher data protection standards than those enshrined in the directive if they wish.
More comment
Stewart Room, a partner at audit firm PwC and head of PwC Legal’s data privacy and protection practice, warned that business is not prepared for the complex legal changes to compliance and risks heavy financial penalties and a wave of litigation.
“The scale and breadth of the EU’s changes to privacy rules will deliver unprecedented challenges for business and every entity that holds or uses European personal data both inside and outside the EU. Most companies will be shocked at the scale of the new rules and the work that needs to be done before the laws take effect in two years – it is not much time for the magnitude of internal changes that will be required. Compliance costs will also be high, in some cases tens of millions of Pounds, for large entities.
“Major retailers, the banking sector, and any entity that is aiming their marketing and promotion to consumers are especially at risk, as is any entity that uses uses data around children. Technology companies will also be in the firing line.
“With financial penalties of up to 4pc of global annual turnover turnover for non-compliance, some of our largest multinationals as well as public entities could face penalties worth many million in pounds or euros, as organisations are forced to publicly disclose any security and confidentiality breaches to the regulators and the people affected. The new laws will go much further than reputational damage.
“New enhanced rights for people over their personal data may also unleash a wave of legal action and compensation claims against entities that will face new rights including the Right to be Forgotten – so that personal data is deleted and destroyed by organisations.
“Obtaining consent to use personal data is also about to become a lot harder for companies; as well as new requirements to assess the risks to personal data and privacy. Business will also face interference from the European data protection regulators as new powers enables them to shape how personal data are used.”
And Richard Brown, Director EMEA Channels and Alliances at Arbor Networks, said: “The new agreements around the EU Data Protection Act should make it simpler for cloud providers operating within the EU, but the initial barrier to this lies in the understanding of this new legislation. Changes to the definition of what is and is not personal data, the need for ‘explicit’ consent for data-collection and different documentation requirements all need to be interpreted, and any relevant changes made. Some of these changes may incur additional costs to business, while others may reduce overall expenditure, like the unification of regulation. But getting a good understanding of this will be a work-in-progress for many organisations.
“As with all regulations it is important that organisations maintain their focus on the ‘goal’, rather than purely on compliance. The impact of data-breaches on both business and the end-user can be significant and businesses need to ensure they are protecting themselves and their customers, not just trying to comply with the legislation.”
Kane Hardy, VP EMEA, Hexis Cyber Solutions, said: “The upshot of the EU digital-privacy law decided this week is that businesses not protecting the data integrity of their customers, employees and users will be penalised in the event of their network being compromised. That should rightly be the responsibility of any business, but is a four per cent fine of global revenues justified or enforcable?
“The threat landscape is growing more relevant by the week for any business and as we saw with the recent TalkTalk hack or government breaches like OPM, you can have a solid team of security experts behind you and still lose out to cybercriminals. These human threat actors have the first mover advantage and businesses need to take both a proactive and reactive posture through the use of the latest automated security technology in order to combat an unpredictable threat.
“Detection is critical, but it’s equally important to be able to respond to emerging threats before they do the real damage. Organisations need to have comprehensive integrated visibility into both endpoint activity (suspicious files, processes, network communications) and network activity (communications with bad IPs, domains and DNS), in order to protect themselves. Only by implementing a next generation integrated endpoint detection and response solution will they BE able to detect, verify and respond to threats in real time and at machine speeds before damage is incurred.”
