Where next for data protection rules?

14 Mar 2012

Google may not be the only in company in hot water regarding the way it handles personal data, once new EU privacy rules come into force, as Jessica Twentyman explains.

The Internet giant says its new approach, first announced in late January, brings under one ‘umbrella’ the rules it applies to consumer data collected by around 60 of its web services, including search, YouTube and Google Maps. This will make it easier for consumers to understand how and why their personal details are collected, executives at the company claim.

European legislators take a wholly different view. In early March 2012, European Union (EU) Justice Commissioner Viviane Reding rounded on Google in interviews with The Guardian and BBC Radio 4, claiming that the company’s changes violate European data laws, because it failed to get consumer consent before making them.

Whether business leaders believe that Google’s new approach constitutes a ‘spy policy’ or not – and even if they don’t care either way – now is no time for complacency when it comes how their own organisations handle the personal data of customers and employees.

While it seems that Google has fallen foul of existing rules, as laid down in the EU’s 1995 Data Protection Directive, a proposed update of those rules laid out in a draft regulation published in late January looks set to force businesses worldwide into sweeping and comprehensive reviews of their information management strategies. These rules apply not just to European businesses, but also to any business serving European customers and any data collected on European consumers.

The costs for non-compliance will be substantial: the 118-page draft regulation http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf contains a proposal to impose penalties of up to 2% of annual turnover for any organisation that is found in violation of a whole new raft of data protection obligations.

These new duties should be given serious consideration by IT professionals. Take this one, for example: any data security breach must be reported within 24 hours of its being noticed, not just to the relevant authorities, but also to all individuals whose personal data has been compromised.

Or this one: every organisation with 250 employees or more must appoint a data protection officer, answerable to the data protection authority (or DPA) in the country where the company has its main European operations.

Under the new rules, no data may be processed – interpreted broadly in the new rules, but basically meaning captured, managed and stored – without the explicit consent of the data subject (the individual to which the data relates). In other words, data subject must ‘opt-in’ for their details to be kept on any third-party database.

All data processing operations must be documented and that documentation must be available on request to the relevant DPA. And data subjects may withdraw their consent at any time, under the ‘right to be forgotten’, so that any data held on them (except that which must be retained for legal reasons) is deleted in its entirety.

Meanwhile, if a company handles data that is deemed to present specific privacy risks –this includes medical notes, financial records, and video surveillance footage, for example – it must carry out a ‘privacy impact assessment’.

These rules are still in the early stages of a process that could take several years. First, they must be approved by the 27 EU member states and the European Parliament, after which time, countries have a further two years to transpose them into national law. But the proposed changes are so far-reaching that most companies likely to be affected – and there will be many worldwide - will need that time to plan and implement their compliance strategies.