The European Parliament voted on March 12th to adopt the amendments put forward by the LIBE Committee. An overwhelming 95% voted in favour (621 for, 10 against and 22 abstained).
What does that mean to UK businesses?
Essentially the European Parliament has now given its backing both to the structure and fundamental principles of the European Commission’s data protection reform proposals – the General Data Protection Regulation and the Data Protection Directive.
However, to become law the proposed Regulation still has to be adopted by the EU Council of Ministers, who, on March 4th 2014, supported the principle that non-European companies who provide goods and services to European individuals will have to apply the EU data protection law in full.
The next meeting is scheduled for June 2014, and even though this falls after the European elections, yesterday’s vote means that Parliament has now made its decision, and its position will not change regardless of the results of the May elections.
Should these amendments ultimately become law, UK businesses will be affected by a number of issues, many of which have been raised in previous blogs
While there are undoubtedly restrictive disadvantages to businesses, there are also some advantages which will help establish a level playing field as well as saving time, money and legal costs.
A single law throughout Europe – A single law for data protection across Europe will replace the individual countries’ existing laws, making it easier for companies who will no longer have to work within 28 inconsistent and diverse laws. According to Europa EU, this will benefit business to the tune of 2.3 billion euros per annum.
One-stop-shop – under current legistlation, a business is subject to the national data protection authority in each and every country in which it operates. The new one-stop-shop rule means that a business will only be subject to the national data protection authority in the country where its Head Office is based.
While this is of significant benefit to businesses, it does make it unwieldy for consumers to keep control of complaints they make against a company whose head office is in a different country. The one-stop-shop rule means that such consumers will have to complain to their own national data protection authority, who will then pass the complaint to the authority in the relevant country for action under their jurisdiction. This is quite different from current regulations, where the business is responsible to the data protection authority in the country in which it operates.
Same rules for everyone – Companies based outside Europe will have to apply the same rules as those within. Currently European businesses work under much stricter rules than their counterparts elsewhere so this will level the playing field. In addition, there will be an increased level of fines for breaches of the regulations. The ICO can currently levy fines of up to £500,000, but the new legislation proposes fines for businesses who break the data protection rules of up to £85,000,000 or 5% of annual worldwide turnover – whichever is the higher. This should certainly concentrate the minds of some of the data-using giants of industry.
However, there are significant disadvantages to businesses as the EU proposals seek to empower the data subject far more strongly than ever before:
Right to erasure – originally this was the “right to be forgotten” – and it allows data subjects to demand that their data is erased by businesses. The latest version states that not only must the business erase the data, but must pass that request on to other businesses where the data is replicated. Thjis amendment will cause severe difficulties for businesses such as social networks, cloud providers and search engines. However, the right to erasure does not apply where there is a legitimate reason to keep data within a database. And the right to erasure may not encroach on the freedom of expression and information of the media.
Consent – obtaining consent from the data subject will become significantly more difficult for businesses who collect and use personal data. Currently consent may be “inferred” based both on consumers’ actions and their lack of action. Under the current legislation, if somebody buys a product online, and does not opt out; or if an individual does not “unsubscribe” from communication messages, then – depending on the circumstance – it can be “inferred” that the individual has given their consent to receipt of communications, services or offers.
However, the LIBE amendments require “explicit indication of the individual’s wishes” and “clear affirmative action”. The implications are significant, as it is unlikely that current opt-out or unsubscribe mechanisms will meet the required level of consent. There will also be increased restrictions over relating the consent to the “Purpose” of collecting the data. If the original Purpose no longer exists, then the company may not rely on that consent to process the customer’s personal data.
This is likely to have a significant impact businesses – research from fast.map shows that just 30% of consumers today are likely to opt in compared to 51% choosing not to opt out. Clearly, over time, there will be changes to these statistics – consumers will become more aware as a result of businesses being forced to become more transparent about how they intend to use the personal data provided. It is also noteworthy that, from the same research, currently 40% of people state they will provide information in return for something they perceive to be of value. Some creative thinking is required to find real, tangible benefits to consumers in return for them providing their data.
Profiling – the use of profiling is widespread among UK businesses and direct marketers. The EU regulations state that data subjects are required to be provided with a clear explanation of any profiling. There is even provision to ban profiling entirely in those circumstances where profiling affects fundamental rights or causes potentially discriminatory results such as race, religion etc). The impact of this on financial services organisation or those who use credit checking is likely to be inconvenient at best.
Data Protection Officers – The LIBE amendment requires that a data controller or data processor must appoint a Data Protection Officer (DPO) for a minimum of four years when processing personal data in relation to more than 5,000 data subjects within any 12-month period. And even where an organisation processes under 5,000 individual records but those records include sensitive personal information such as children’s personal information, then they too must also appoint a DPO. Having said that, SMEs are exempt as long as data processing is not their core business activity.
Data Subject Compensation policy – Individuals who have suffered damage can claim compensation for breaches of the Regulation. This would mean that an individual woken up by an unsolicited telemarketing call could claim damages for being disturbed.
There is still a long way to go before the EU legislation is finalised, and in the meantime discussions will continue. Many countries are clear that getting the legislation right is more important than hitting an arbitrary deadline so both the content and the timetable are subject to change.
Nonetheless it is well worth UK businesses preparing for changes to the data protection landscape. Although the new legislation is not expected to be in place before 2016, and it may possibly lapse to early 2017, changes are definitely going to happen, and planning for compliance will need to begin now.
If you have any concerns over how the new EU legislation may affect your business, or would like advice on becoming and remaining compliant, please contact us on 01787 277742.