All companies hold and process personal data regarding their staff, their customers or their suppliers, and normally all three. In Europe, how this data is handled has been regulated by complex data protection laws since the early 1980s. Now, these laws face a radical overhaul following proposed amendments to the EU Data Protection Directive.
The EU’s reform of data protection rules have been designed to strengthen online privacy rights and boost Europe’s digital economy. However, if adopted, the changes will have a huge impact on all organizations with European operations, not just in terms of administration but also in the scale of penalties for those who are non-compliant.
“Seventeen years ago, less than 1 percent of Europeans used the Internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds,” said EU Justice Commissioner Viviane Reding, the Commission’s vice president. “The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data. My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information. The reform will accomplish this while making life easier and less costly for businesses. A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation.”
The changes will have a particular impact on European staffing agencies and other intermediaries such as managed services and recruitment process outsourcing providers. Staffing firms in the U.K. have already run into trouble based on the existing regulations. Recently, Manpower UK Ltd. was obliged to sign an undertaking after a spreadsheet containing 400 people’s personal details was accidentally emailed to 60 employees. In August 2011, a Hays employee accidentally emailed the pay rates of 3,000 contractors to 800 employees of Royal Bank of Scotland. And in November 2010 a penalty of £60,000 was issued to employment services company, A4e Limited, for the loss of an unencrypted laptop that contained personal information relating to 24,000 people who had used community legal advice centers.
With new laws on the way, the regulatory burden will be increased and the amount of time, money and personnel required to achieve compliance and avoid fines will escalate. Companies that use the services of staffing providers will likely demand more reassurance from their suppliers than they have previously required.
“Once the proposals have passed through the European parliamentary system, because they are in the form of a ‘regulation’ they will have direct effect in every EU member state with minimal further scope for debate, or rationalization,” according to UK legal firm Osborne Clarke. “While a more harmonized data protection regulatory landscape sounds appealing, the uncompromising approach taken by the EC’s draft regulation is a cause for concern for business.”
Key points in the draft regulation include the following:
- Fines. National data protection regulators will be given the ability to impose significantly higher fines of up to 2 percent of global turnover where basic knowledge/consent obligations or requirements to adopt good policies and procedures are not followed.
- Data Protection Officers (DPO). Private sector companies with more than 250 employees, or whose core activities involve regular monitoring of individuals, as well as public authorities will all be required to formally appoint a DPO. The DPO must be empowered by their organization to act as an independent assessor of its compliance with data protection laws and report to the board of directors in doing so. The regulation specifically requires the DPO to coordinate data protection by design and privacy impact assessment initiatives and to be responsible for data security initiatives generally. Responsibility for training staff is also mentioned. In short, the DPO must ensure that their organization has adopted good data governance policies and procedures.
- Audits, data protection by design and privacy impact assessments. Organizations will be required to demonstrate that they have undertaken regular data protection audits and privacy impact assessments (PIAs) using recognized industry standards. Regulators can designate processing activities in respect of which organizations should always proactively run a PIA before processing commences. The regulation sets out a starting point list that includes any activities using data about an individual's “economic situation, location, health, personal preferences or reliability of behavior.”
- Security breach notification. Organizations will have to notify data protection authorities within 24 hours of establishing that they have suffered a data breach or explain why it is not possible to provide full details of the breach. Slick internal procedures will therefore be required to verify suspected breaches and establish what has been lost or subject to unauthorized accessed.
- Expanded consent requirements. Consent to use personally identifiable information will have to be obtained in advance and on an opt-in basis before it is used. However, the EU has pulled back from requiring parental consent to be obtained from minors under the age of 18, as required by an earlier draft of the regulation leaked in November. The draft regulation published in January set the age of parental consent to 13.
- Data portability. Individuals will have the right to demand that an organization transfer any or all information held about them to a third-party organization in a format that the individual determines. This increases the control that individuals have over data that identifies them and makes it easier for them to transfer business or employment relationships. It remains to be seen who will be required to cover associated costs of such an exercise, but it seems very likely that the transferring organization will be expected to do so.
- Jurisdictional reach. The new laws will apply to anyone processing data in the EU as well as those outside Europe who offer goods or services to EU citizens. For a multi-national organization, the location of its European HQ will determine which EU member states’ laws bind it, and which regulatory authority will have jurisdiction over it. That said, individuals will be given wider ranging powers to bring action personally against an organization (either in the country where a non-compliant organization is located or in the individual’s local courts). Trade associations will also be empowered to bring class actions on behalf of their members.
- Data transfers. Amidst the negative implications from this proposed reform there is one piece of good news for business. Europe’s data transfer laws will be relaxed in that more options will be made available to enable organizations to share data with non-European third parties. Specifically, the policy implementation known as Binding Corporate Rules will be formalized as a mechanism enabling data transfer compliance for multi-site, multi-national businesses.
- The right to be forgotten. Individuals will be able to demand that information published about them online is deleted and is not republished. Organizations that receive such a demand must take all reasonable efforts to inform other website operators of the existence of the complaint they have received. The right, which is particularly relevant to social media businesses, is subject to some exemptions, such as one benefiting journalists publishing stories in the public interest, raising the question is a blogger or someone who posts an opinion on a website a journalist? But questions remain about how practical the regulation is and who would bear the costs of complying with it.
The proposed reform must first be considered by the council and the European Parliament, who have the right to reject the proposals, or propose amendments, before it can become law. When agreement is reached, the regulation will be adopted.
Technological progress and globalization have profoundly changed the way personal data is collected, accessed and used, therefore, it is not so surprising to see the EU try to evolve regulations to meet new challenges. The EU believes that the creation of a single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion per year. Furthermore, they claim the initiative will help reinforce consumer confidence in online services, providing a much needed boost to growth, jobs and innovation in Europe. Whether or not this happens remains to be seen; however, what is absolutely clear is that all organizations in Europe will need to begin exercising much more diligence in their handling of personal data.
Full details of the proposed reform are available here.