The new date for implementation of a proposed new data protection regulation (DPR) – has been pushed back to “by 2015”, thanks in part to David Cameron’s efforts to protect the interests of UK business. Germany were also supportive though Merkel’s reasoning was slightly different “… to ensure that it can reconcile the existing rights of its citizens.”
On 21st October, 2013, the European Parliament approved its Compromise Text of the proposed EU General Data Protection Regulation. Still a long way from being complete, but the latest from Europe is:
1. Pseudonymous data now has its own definition – currently “personal data that cannot be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution”.
2. Data Protection Officers: a data controller or processor must appoint a Data Protection Officer when processing personal data relation to over 5,000 data subjects in any consecutive 12-month period. Also where the core processing activities relate to processing location data, children’s data, sensitive personal data, or employees in large scale filing systems.
3. A new concept has been introduced – a European Data Protection Seal -a certification process which allows international data transfers outside the EEA to recipients that also hold a Seal.
4. Right to erasure: the right of data subjects to have their personal data erased if requested is still in the draft (originally “right to be forgotten”). And it’s been strengthened – if the data subject asks a controller to erase his data, the company should also forward the request to others where the data is replicated.
Pulling NSA’s teeth …
The Compromise text had some other changes, including new data protection rules designed to curb America’s spying activities. The intention is to make US secret court orders powerless, and to force companies based outside the EU, like Google and Facebook, to comply with European data protection laws if they operate in Europe. Powers to levy fines running into billions of Euros are being made available to discourage violation of the new rules.
For example, if a third country’s court, tribunal or other administrative authority requests a company (such as a social network or cloud provider) to disclose personal data processed in the EU, that company must notify the data protection authority and obtain their authorisation before any such data transfer can be made.
This step is largely due to Edward Snowden’s information about the American companies, platforms and social networking sites which have been forced to share substantial volumes of EU citizens’ personal online data (from emails and phone calls to video chats and web searches) with the National Security Agency (the US intelligence organisation which collects, monitors, decodes, translates and analyses foreign intelligence and counterintelligence information and data).
The third country issue has been ongoing since January 2012, when the proposed reform to the law was dropped after intense US lobbying. It now seems clear that the EU has had enough, particularly since the revelations that the NSA systems collected – in the single month from February 8th to March 8th – 24.8 billion telephone data and 97.1 billion computer data from across the globe – including UK, Germany and France.
In addition the French are aggrieved that, from December 2012 to January 2013, the NSA were reported to have made 70.3 million recordings of French individuals’ telephone data.
While the NSA is known to collect and store all phone records of all American citizens, their profligate global approach to privacy is clearly unacceptable, and Europe has taken steps to limit their – and other agencies and countries’ – powers.
So now it’s just the simple matter of balancing the need to combat terrorism versus people’s protection of the rights to privacy. Which makes it hardly surprising that this legislation is taking so long with a record-breaking 4,000 amendments so far. It is thought that there is a less than 50% chance of the new regulations going through in the time-frame, though final legislation is still anticipated before the European elections in May 2014.
India’s Draft Privacy Protection Bill
The issue of data protection in India has been generated for a number of reasons – not least, Europe’s concerns given the sheer volume of personal data that is transferred to India. Also, within India itself, there is concern among Indian citizens in relation to the combination of the use of personal identifiers (including biometric data) and extensive individual profiles.
India has been holding a set of roundtable talks since April 2013, with the goal of generating recommendations for a privacy regulatory framework. The last of those talks was held on October 19th between the Center for Internet and Society, the Federation of Indian Chambers of Commerce and Industry, and the Data Security Council of India. Christopher Graham, the UK Information Commissioner, was among the speakers.
We’ll send more updates as they come through – in the meantime, if you have any concerns over how these or the existing DPA and PECR regulations might affect your business, don’t hesitate to contact us.