The main financial saving, argues Reding, will come from the fact that pan-European data handlers will have to deal with only one set of rules and one data protection authority – the one in their country of origin. In the UK, that is the Information Commissioner’s Office (ICO). Supposedly, all member state’s authorities will apply the law consistently.
“One of the biggest flaws with the current regime is that it does not deal well with businesses operating across more than one country,” Guy Wilmot, solicitor at Russell-Cooke Solicitors told Computing. “Once the regulation is enacted, businesses operating in more than one EU country will have the comfort of operating with one set of rules and will be able to deal with one regulator,” he adds.
Fines and punishment
Critics of the regulations have been quick to highlight the fines the EU wants to levy on organisations in breach of the new regulations – up to two per cent of annual worldwide turnover. An early draft pitched the ceiling for fines at an eye-watering five per cent.
But what is more likely to be a shock to European companies is the level of transparency required by the new regulations. Companies that suffer a data leak must inform the data protection authorities and the individuals concerned – as they already have to do in some US sectors – “without undue delay”, a phrase Reding handily translates as “within 24 hours”.
“That’s going to be tough for some companies to adhere to,” says Lisa Banyard, PwC data protection leader. “Those that don’t already have a well-oiled reporting mechanism in place will need to implement measures to flag breaches in time.”
Fit for purpose?
The proposed overhaul of the Data Protection Directive was adopted by the Commission on 25 January. Inevitably, it has been subject to concerted lobbying from data handling companies who think it places onerous burdens on them.
More significantly, the proposals were given a thorough drubbing by Europe’s independent Data Protection Supervisor (EDPS), Peter Hustinx. He called the EU’s proposed rules governing how law enforcement agencies will handle personal data “unacceptably weak”.
Hustinx found numerous other holes: a lack of legal certainty about how law enforcement will be allowed further use of personal data beyond the initial purpose for collecting it; possible derogation for transferring data outside the EU; and the excessive power vested in the European Commission’s role to enforce consistency of data protection rules at the expense of member-state data protection officers.
“We are unfortunately still far from a comprehensive set of data protection rules on national and EU level in all areas of EU policy,” he concluded.
This stinging critique doesn’t mean the overhaul of the regulations won’t happen. It’s just transparent democracy in action. The broad intent to harmonise EU data protection measures still stands.