Two steps forward for 'our digital footprints
Rebecca Clutten discusses the recent pan-European data protection agreements and what they mean for the rights of individuals over their personal information
The security of our personal data when online has never been of greater concern. The majority of people are now organising or conducting much of their lives - both professional and personal - from computers, tablets, and smartphones, and the incidence of online fraud and other forms of cybercrime is rising.
As a result, it has become more important than ever to ensure participants in the digital world can have confidence both that those with whom they share their personal data are adequately protecting it, and that they retain ultimate control of that information.
Until now, however, data protection laws across the EU have arguably not been up to the job, in large part because they, unlike the digital world they seek to govern, do not have a uniform trans-boundary effect. They were also brought into force nearly 20 years ago, when the full extent of our online activity could scarcely have been imagined.
The EU Commission recognised this and, in 2012,
put forward proposals for a comprehensive EU-wide reform of data protection legislation. In December 2015, after more than three years of discussions between the European Commission, Parliament,
and Council, an agreement
was finally reached about the package of reforms to be taken forward.
The proposed reforms are comprised of two principal instruments: the General Data Protection Regulation and the Data Protection Directive. The former is aimed at the general population, while the latter is aimed at the police and criminal justice sector. It will be noted that, unlike with the 1995 directive on data protection, the legislative form of the regulation is such that no implementing legislation will be required, presumably with the intention of reducing the scope for differences to arise in the application of the new rules throughout member states.
While the rest of this article is concerned with the implications of the regulation, it is noted that the directive provides for increased punitive sanctions for data offences, a proposal which will no doubt find favour with the Information Commissioner's Office (ICO), which recently called for stronger sentencing powers for dealing with those convicted of stealing personal data.
Proposed reforms
So, what are the reforms introduced by the regulation, and what will they mean for EU citizens and businesses? The following in particular have been highlighted by the Commission as principal changes to the rights of individuals over their personal data:
-
A person will have easier access to their own data, with greater and clearer information being made available about how that data is processed;
-
There will be new rights to 'data portability', enabling people to transfer information between service providers more easily;
-
The law on the 'right to be forgotten' will be clarified, enabling individuals to have their data deleted if they no longer wish for it to be held, provided that there are no legitimate grounds for its retention; and
-
Every person will have a
right to know when their data has been hacked, with an obligation on data controllers to notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures.
Data protection burden
As well as improving the substantive content of data protection rights, the proposals are intended to improve the way in which they are handled, including by reducing the burden on some data controllers.
SMEs are particular beneficiaries of this aspect
of the reforms: it is proposed
that they will be exempt from requirements to notify data protection activities to supervisory authorities such
as the ICO and to have a data protection officer (save where data processing is their core business activity). They will also be able to charge for 'unfounded or manifestly excessive' data requests - although no doubt what constitute such requests will be open to lively debate.
For others, the burden of data protection will inevitably be increased as a result of the reforms. The proposals will require, for the first time, those based outside the EU to comply with EU requirements on data handling where they are handling the data of those within the jurisdiction. It will be particularly interesting to see how and to what extent infringements of this obligation will be enforced.
The current timescale proposed is for the formal adoption of the reforms to take place in the early part of 2016, and thereafter to come into force in 2018. While this might seem some time away - and while it is, of course, also uncertain whether the UK will remain in the EU at the relevant time - the changes are significant. As such, businesses that process significant amounts of data would be well advised to begin looking at the changes now to see how the proposals might affect them, in order to avoid any unpleasant surprises when the time eventually comes.
Rebecca Clutten is a barrister practising from Francis Taylor Building @FTB_law www.ftbchambers.co.uk