Data privacy has been more in the spotlight than ever recently, with potentially game-changing announcements from both sides of the Atlantic. These have ramifications for any organisation holding personal data.
Viviane Reding, vice-president of the European Commission (EC) and EU Justice Commissioner, announced the overhaul of the EU’s Data Protection Directive on 22 January 2012, billing the move as “a fundamental reform of the common European rules that govern the free movement of personal data in Europe’s single market and the best possible protection of such data in the digital age”.
A month later, the White House announced that the US government is to draw up a Privacy Bill of Rights, trumpeted as “a comprehensive blueprint to improve consumers’ privacy protections and ensure that the internet remains an engine for innovation and economic growth”.
The UK government, meanwhile, has announced its determination to have far greater access to citizens’ data. In such a complex environment, clearly, the CIO needs to remain in the driving seat of any organisation’s policy.
“There is no doubt that the new data protection proposals will impact all aspects of data handling, irrespective of whether that data relates to staff or customers,” Vinod Bange, partner and data protection law expert at Taylor Wessing, told Computing. “CIOs will need to be aware of this impact, and the consequences along the whole data lifecycle.”
“Tougher rules around data collection, consent and transparency will challenge the lawful basis for collecting the data in the first place and potentially encourage a regulatory environment geared towards data minimisation,” Bange adds.
“This may mean that CIOs will need to revisit current data classification policies …to ensure such policies correctly capture all information that should be regulated.”
EU data protection regulations were formulated in 1995, the year Facebook’s Mark Zuckerberg celebrated his 11th birthday. The majority of consumer internet connections were dial-up, and cloud was a meteorological phenomenon. Scott McNealy, then chief executive of Sun Microsystems, achieved brief notoriety by saying: “There is no such thing as privacy on the internet. Get over it.”
Since then, personal data has become a currency that consumers trade for services. Surrender your name, email address, date of birth, job title, education, location, photos, purchasing choices, holiday destinations, likes, and dislikes – and you can play with your acquaintances online.
The EC is keen to dispel any notion that the General Data Protection Regulations will stifle online innovation, and is presenting them as an enabler of e-commerce. The EC wants to create a single digital market across member states. To achieve that, Europe needs a single set of data protection regulations.
“Like any currency [personal data] needs stability and trust,” says Reding. “Only if consumers can trust that their data is well protected, will they continue to entrust businesses and authorities with it, buy online, and accept new services.”
But this isn’t just about keeping credit card details safe. By addressing the trust underlying ecommerce, the new rules throw a wide net. The Commission has widened the definition of personal data, so more elements of information will fall under the regulations, says Bange.
“Detailed rules around data collection and use will be just as important as the strategic decisions on global data flows,” he adds. “Failure at either end of the data regulatory spectrum will now attract much tougher penalties, so CIOs can ill afford to ignore this.”
The Commission’s proposed changes introduce a number of new measures (PDF). Fundamentally, they take control from the data collector and hand it to the data subject.
“The new proposals will shift power into the hands of individuals,” says Jonathan Nugent, data protection specialist at PwC Legal. “In theory, once the proposals are implemented it should be much easier to access, move or delete whatever personal data companies hold on you.”
Among the powers individuals will have over their data are the rights to portability and deletion – the right to be forgotten.
The right to data portability will make it easier for users to move to a different provider since their switching costs will be effectively reduced, says Lukas Feiler, associate at Wolf Theiss law firm in Vienna and a fellow at Stanford University and the University of Vienna Transatlantic Technology Law Forum (TTLF) and Forum on Contemporary Europe (FCE).
The right to be forgotten means a data subject could withdraw consent to the processing of his or her data at any time. “Once consent has been withdrawn the data has to be deleted,” Feiler says.
Regulate to save
The EC estimates the new regulation will save businesses around €2.3bn a year. But all companies that handle personal data and employ more than 250 people will have to appoint a corporate data protection officer (CDPO), as they already do in Germany. Feiler reckons this role will fall to the CIO in many organisations.