The value of EU citizens’ data is predicted to increase to €1trillion by 2020, and as the extent of international intelligence efforts have demonstrated, it is a much-coveted commodity. Consequently, legislation must keep pace with digital development to offer comprehensive data protection – a sentiment recently reflected in the European Parliament.
Late last month, an overwhelming majority of the European Parliament’s Committee for Civil Liberties, Justice and Home Affairs (LIBE) backed reforms to the European Data Protection Act. Speaking ahead of the vote, President of the European Commission José Barroso summed up all that the reform hoped to achieve, declaring: “We need to combine the digital agenda with a better framework for protection of data and privacy rights. Trust in the data-driven economy has to be restored not only for the needed confidence but also for its potential impact on growth.”
Although the reform has yet to be debated, and agreed upon, by the European Commission, Parliament and Council, these recent developments offer interesting insight into the future of the European data protection landscape.
One continent, one law: data protection in Europe
It is hoped that the legislation will replace a ‘patchwork’ of national laws with one, pan-European law that, ultimately, will make it simpler and cheaper to conduct business in the EU by becoming a one-stop-shop for data protection. To this end, last month's vote introduced and enhanced several concepts of the initial proposal, and will shape the way that data protection is carried out throughout the EU (find a full summary of the changes here):
- Data transfers to non-EU countries – Coming in direct response to the data surveillance activities revealed earlier this year, should a third country request a company disclose personal information, firms will have to seek authorisation from their national data protection authority before transferring the data, as well as inform the individual(s)
- Data Protection Officers – It will become mandatory for companies with more than 5,000 client contacts per year to appoint a Data Protection Officer
- Right to erasure – Individuals will be able to request data controllers erase personal information – and firms will also have to forward this request onto other organisations where data are replicated
- Explicit consent – Where processing is based on explicit consent, organisations will have to obtain clear permission from the data subject (who can withdraw their consent at any time) before processing personal information
- Profiling – Profiling will only be allowed subject to a person’s consent, when provided by law or when needed to pursue a contract
- Sanctions – Fines of up to €100m or 5% of annual worldwide turnover (whichever is greater) will be levied against companies found in breach of data protection rules
A breakthrough for European data protection
Satisfying the requirements of 28 member states has meant that it’s been a long road to even reach this point, and although critics have pointed out that vague wording could cause loopholes, the progress has been championed in the European Parliament as a “breakthrough” and a ‘clear signal [that] data protection is made in Europe’.
The strength of this support must galvanise organisations in the UK, and the rest of Europe, to engage directly with the data protection reform. Thanks to its extensive aims, the impacts of the reform will be far reaching, meaning that every organisation will have to be aware of what will, or won’t, change for them.
Although there is some speculation as to whether the reform will be introduced in 2015 or 2016 (or even later), and it is likely that further amendments will be made before a final version is agreed, staying abreast of developments and remaining responsive now will put organisations in a better position to cope with the changing data protection landscape.