Data Protection Changes: How Will This Impact You After The General Election?
With the General Election looming, and the Conservative Party’s pledge to renegotiate Britain’s membership by holding a referendum to determine whether to remain in the EU, this could have far reaching implications in terms of emerging EU laws.
One area where it would have significant impact if the UK left the EU, is the European Commission’s comprehensive reform proposals for data protection.
Many have argued that the original data protection Directive in 1995 has not kept up with the technological developments and that change is now needed.
This change is fuelled by the desire to create a Digital Single Market because of the nature of digital technologies which move fluidly across borders. It follows that it doesn’t make sense for each member country to have its own set of laws for data protection if technologies can so easily transgress boundaries.
Back in 2011, the EU Commissioner said that the goal is for EU citizens to be protected regardless of where their data is processed. The idea is that when citizens trust e-services and feel comfortable using them there will be a growth in the market with a tangible fiscal return.
Benefits for Individuals and SMEs
The proposals currently being debated will have numerous benefits for individuals as well as SMEs if implemented.
The European Commission Fact Sheet on the data protection reforms highlights that for individuals the reform will help to strengthen their rights by giving them control of their data, and hopefully increase their trust.
The 5 main changes include: the introduction of the right to be forgotten, ease of access to your own data, a say in how your data is used, a right to know when your data has been hacked and the requirement that default settings for products be privacy-friendly.
For businesses, particularly SMEs, the benefits are considerable. The European Commission Fact Sheet notes that the reform is premised upon stimulating economic growth by cutting costs and alleviating the burden of regulatory requirements for businesses. This is achieved by having a unified body of law.
The implementing Regulations are expected to be passed at the end of 2015. Once enacted, the new law would take immediate effect in each member state. There would be no need for national implementing legislation.
According to the Fact Sheet, for some SMEs the reform will mean that they are exempted from appointing a data protection officer (unless data processing is their business), that they will no longer have to notify supervisory authorities, that where requests to access data are excessive they may charge for this and that they will not be obligated to conduct impact assessments unless there is a particular risk.
Impact of these changes
Proposed fines for breaches of the rules are significant, capped at 2% of turnover. For large commercial enterprises the maximum financial penalties for inadequate data protection measures could be staggering. For smaller businesses this is less of an issue.
The proposed reforms also require any loss of data to be notified within 24 hours. This requirement has been particularly controversial, as many businesses are ill-equipped to identify and address data losses quickly.
One hot topic is the proposed right to be forgotten, enabling people to require data processors to delete personal information, and also to identify how the information has been shared, if feasible. Some argue that increased administration arising from this right, combined with a greater burden to obtain explicit consent, and the training involved, could be very costly for businesses.
What does this mean for the UK?
It is clear that these reforms would be significant and quite beneficial to individuals and businesses. However, depending on the outcome of the election, it is possible they will not apply in the UK. This possibility would satisfy digital rights groups such as the UK’s Open Rights Group, which has signed an open letter to the EC President stating that these reforms will have the negative impact of eroding data protection for individuals.
If the UK leaves the EU these reforms, which are so beneficial to businesses on many levels will not be applicable in the UK, to the detriment of digital business in the UK.