The European Commission has introduced a draft package of measures aimed at reforming and harmonising data protection law across the European Union. The bulk of these measures is to be introduced in the form of a regulation, meaning that the new law will be implemented in the same way across Europe. This thinking is logical – one of the issues with current legislation is that it has been implemented differently across the European Union.
The UK government would, however, prefer to see the legislation in the form of a directive. This would give the UK some flexibility as to implementation and – depending on the drafting of the directive – enable us to opt out of some of the most contentious provisions such as the right to be forgotten online, which the UK and other countries deem to be unworkable. The new right to be forgotten gives individuals the power to request deletion of all their online personal data under certain circumstances.
The attraction to the individual of this right is obvious. Paris Brown, the Youth Crime Commissioner who resigned over comments she’d made on social media some years ago, would have been an obvious beneficiary, and doubtless she is not alone in wishing she could be forgotten online. Wishes don’t always come true though. Even if such a right is protected by law, it is hard to know how it will be put into effect.
The provisions are at best onerous and at worst unachievable for businesses asked to delete an individual’s personal data. They may be forced to look through huge numbers of records in both electronic and manual form for references to a particular person. ISPs, hosting platforms and social media networks are already complaining that they simply cannot put this provision into effect as they have no control over data that has been onward published by third parties. From the point of view of individuals, they may find that the right to be forgotten promises more than it can deliver once the exceptions kick in.
Another concern is the impact that the regulation will have on small and medium-sized enterprises (SMEs). The current draft contains some exemptions for SMEs, but they will still have to comply with a number of provisions that will cost them a great deal of money without providing much benefit.
One of the most obvious examples of draconian and possibly unworkable requirements under the regulation are around breach reporting. As currently drafted, businesses have just 24 hours to report a security breach to the relevant supervisory authority. In addition, data subjects must be notified of a breach “within a reasonable time” unless the business can demonstrate that it has taken reasonable steps to protect the leaked data. With no exceptions made for smaller breaches, these provisions have caused considerable alarm both among businesses and the supervisory authorities – which are likely to be inundated with breach notifications. In this instance, the European Commission does appear to have understood that the time frames are unfeasible and is likely to make changes in the next draft of the legislation.
It seems exceptionally unlikely that the EC will change the regulation to a directive, not least because Viviane Reding, the European Commissioner in charge of the reform, reportedly said the UK’s call for a directive was “crazy”. We will, however, almost certainly see some changes to the current draft as European parliamentary committees have put in proposals for some 3000 amendments, which are likely to be voted on at the end of May.
The European Commission is likely to issue a re-draft of the regulation based on the views of the Parliament and the European Council, although it will not necessarily incorporate them all. It seems probable that this will be the final draft, and while we can hope for more choice within the terms of the regulation, there will be no choice but to comply once it comes into force.
Debbie Heywood is an associate at law firm Taylor Wessing.
MWR's Countercept platform and phishd technologies key to F-Secure acquisition
Brexit labour shortages will lead to higher adoption of robotics
Newbies will be thrown in with the big boys on Sanhok as Kar98 fodder