Wednesday, 25 January 2012

EU Data Protection Reform 2012

Europe Sets the Standard

The European Commission today proposed a comprehensive reform of the EU's 1995 data protection rules, to strengthen online privacy rights and boost Europe's digital economy. The text of the proposals (pdf) comprises a hefty 91 articles and supporting material, spread over 120 pages. Here, summarised in the form of annotated bullet points, are eight of the most important and/or controversial aspects from an initial reading of today's proposals.
  • One Rule for All
The intention is to introduce a single regulation (law) across all 27 member countries. This contrasts with the 1995 directive, which specified only the desired results. While these results were themselves binding, they were left to the individual states to implement, using their own chosen methods and mechanisms. Nobody seriously considers the outcome of that process, predictably enough a patchwork of 27 variegated rule sets, to have been a resounding success.
  • No Geographical Boundaries
Article 3 declares the scope of the new regulation, which would extend to anyone, anywhere in the world (yes you too, America!), involved in the processing of any personal information, relating to any EU citizen. And by personal information is meant not only names, dates, and places, but also technical data such as IP or Mac addresses; (explicitly) information of a genetic, biometric, or health nature; and so on. Service providers like Facebook or Google must accept these obligations in full, or else deny their services to EU citizens.
  • The Right to Erasure
Article 17 guarantees EU citizens the right to "extended erasure" of their personal data. Not only will the organization that processes personal data have to erase it on demand, but the they will also have to "take all reasonable steps, including technical measures" to get any copy, link, or replication on the Internet removed. Now, although in practice search engine data removal can mostly be automated, data removal from e.g. sites repeating CC-licensed Wikipedia content could be problematic.
  • Data Portability
Article 18 introduces the right to data portability - that is, to obtain a complete copy of stored or active data in a structured format. For example, this will allow users to switch between web mail systems with all their data intact.
  • Mandatory Assessments
Article 30 binds organizations to systematic security risk evaluations; unlawful forms of processing, unauthorized disclosure, dissemination or access, or alteration of personal data must be prevented. Here, the commission reserves the right to define: what constitutes the state of the art, for specific sectors and in specific data processing situations, in particular taking account of developments in technology and solutions for privacy by design and data protection by default.
  • Mandatory Notifications
Article 31, already being dubbed the Playstation Clause, requires organizations to disclose to their supervisory authority, effectively immediately, and in any case within a maximum of 24 hours, any personal data security breach. Sony famously waited one full week before telling their SEVENTY MILLION customers their personal data might have been compromised. This provision has of course come in for immediate and heavy criticism; 24 hours is not a lot of time for the kind of investigations that might be needed to avoid many false alarms. It might also be too short an interval to prepare measures to ensnare hackers, and serve only to warn them their attacks have been noticed and actioned.
  • Enforcement: Data Protection Officers
Article 36 provides for data protection officers, designated in regard to their knowledge on data protection laws, who will be independent, and will receive no instructions pertaining to the exercise of their function. These officers will be mandatory in three prescribed cases, namely:
  1. for any public authority or body;
  2. for any company permanently employing more than 250 persons; and
  3. for any company whose core activity consists of monitoring data subjects [qv].
One important corollary is the end of general notifications to local agencies, which measure alone should simplify the regulatory environment and save an expected 130 million € per annum.
  • Enforcement: Enormous Fines
Article 79 aims to give the legislation the necessary "teeth" to enforce these rules. This it does by providing individual national data privacy agencies with huge administrative sanctions. Various levels are countenanced, depending upon the particular violation, but the headline figures are: up to one million €, and up to 2% of an enterprise's annual worldwide turnover. Just to put that in context, to Microsoft in 2008, that would have come to 1.2 billion € plus tips.


It's a bold proposal, obviously designed to take the lead in the international areas of user privacy, data ownership, and data security. Certain of its provisions appear superficially to be quite "heavy" in their commercial import; some rather impractical, and maybe idealistic, although given the technological representation present and the consultancy that has taken place over the last 17 years, certainly not as naive as recent American proposals in adjacent fields (SOPA, ProtectIP). The Commission has clearly decided to take a stand against the piecemeal, partial, and largely failed implementations of its earlier directive. It will be very interesting to see how and where this extensive new structure flexes under the opposing pressures of commerce and politics in coming months.

Picture: Berlaymont building of the European Commission (Wikipedia).

No comments:

Post a Comment