European Commission to increase the Data Protection burden for businesses

Recently leaked information gives details of a European proposal for a new data protection law (See Financial Times of Monday 12 December 2011).  The European Commission has been debating such a law for at least 12 months and indeed sought submissions on possible changes over that period (See, for example http://ec.europa.eu/justice/news/consulting_public/news_consulting_0006_en.htm).  If the leaks are to be believed, the new law will require EU countries to adopt stringent new data protection measures.  If breached they will allow for companies to be fined up to 5% of annual turnover.  This is in stark contrast to the present theoretical maximum fine of £500,000 (See https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-law-enforcement-processing/penalties/).

The United Kingdom Commissioner’s Office (ICO) has had this power to fine companies only since 6 April 2010.  However, the ICO has used this power sparingly. Indeed in the first 20 months the ICO has fined only two businesses.  Excluding one nominal fine, the only fine imposed on a commercial company was to A4E Limited, a company acting primarily as a supplier of service to the public sector.  All the remaining seven fines were of local authorities.

History shows, that at least in the United Kingdom, the ICO has no appetite to take on companies bigger than he is.  Take for example the case of Google collecting Wi-Fi data unlawfully in preparation for its Street View service a few years ago.

The UK Information Commissioner took no effective action against Google, unlike his counterparts in Germany, Italy, Switzerland, Canada and Czech Republic (See, for example http://www.bbc.co.uk/news/technology-11684952).  In more recent times, the UK Information Commissioner has similarly failed to take action against Sony in respect of the Playstation hacking incident or against Facebook for tagging of facial features (See, for example http://www.dailymail.co.uk/news/article-1260334/Facebook-tagging-launch-breach-privacy-EU-court-battle-looms-social-network.html).

This week has seen David Cameron throw down a gauntlet to the European Union to protect the London based banking industry.  The European Commission is proposing a radical change to the United Kingdom’s softly-softly approach to policing the data protection legislation, by proposing that a new European bureaucracy would enforce the new legislation.  It remains to be seen whether the British government will continue the stance it started last week in opposing this type of legislation.  If it fails to do so, British industry and British banks in particular will face a very significant increase in the risks associated with data loss.

The one silver lining in the cloud of the new proposals is the way in which they propose to tackle the Cloud Computing industry.  Previously this industry, based as it is to a large extent outside the European Union, has been able to ignore European data protection rules.  The European Commission is proposing to extend enforcement of the new European Union rules to all foreign companies operating in the European Union.  This would mark a significant change.  No longer would companies such as Facebook be able to hide behind a foreign veil.  Instead, the new EU rules would allow their EU subsidiaries to be fined.

However, a company can only be fined if the proposed European data-policing authority knows that the company has breached data protection rules.  Therefore the European Commission is proposing to require companies to report data protection breaches.  This is consistent with EU Commissioner Viviane Reding remarks in a speech on 29 November 2011, when she said “Our proposal will introduce a general obligation for data controllers to notify data breaches. In concrete terms, that means notifying data protection authorities and the individuals concerned when a data breach is discovered.” (See http://ec.europa.eu/commission_2010-2014/reding/pdf/speeches/data-protection-social-media_en.pdf).  What is not yet known is whether all breaches must be reported or, more likely, only those over a certain threshold of importance.

A proposal that has been debated for a while is a “right to be forgotten”.  A provision to achieve this will also be included in the new legislation.  This will require Facebook and other social media networks to change their sites significantly to improve the ease with which individuals can require their data to be removed.  All of this is significant with Ms Reding’s view that “The protection of personal data is a fundamental right”.