EU data directive reform could be a business burden
The imminent reform of the European Data Protection Directive could be ineffective in the short term and place further financial and security burdens upon European businesses at a time when they can least afford it, according to Invictis.
Proposed changes to the data laws due to be announced in early 2012, aim to unify the existing legislation of each Member State and make it easier for businesses to transfer data. However, the new legislation is likely to take years to come into effect, leaving businesses to wrestle with today’s contradictory rulings as well as the costs and inevitable risks associated with a changeover.
To exacerbate matters, the proposed amendments do not address the loophole created by the US PATRIOT Act which currently allows US-based enterprises to give their government access to data on foreign soil.
Viviane Reading, Vice President of the European Commission and EU Justice Commissioner, championed the reform at the Industry Coalition for Data Protection in Brussels on 28 November. She stated that European businesses must today comply with disparate laws and often conflicting decisions made by data protection authorities (DPAs) in each of the 27 Member States.
Conversely, any non-European business seeking to operate in the EU also has to abide by 27 different interpretations of the law on data protection. Reading estimates the current levels of bureaucracy cost 2.3 billion Euros a year although she did not speculate on the costs of implementing the new legislation.
The Data Protection Directive reforms aim to make it easier to conduct cross-border trade and to reduce barriers to market entry: issues which many organizations have dealt with to date through self-regulation and binding corporate rules.
Methodologies such as rapid comparative benchmarking have also been used to assess and evaluate the costs and legislative requirements of doing business with partners in different markets or of expanding across the continent, enabling businesses to gain insight into the data protection capabilities and security stature of partners, peers and competitors. Reading acknowledged the importance of self-regulation but called for other changes.
The amended directive will include:
A ‘one-stop-shop’ – one law and a single DPA for each business to be determined by the Member State in which the business has its main operations.
Consistent enforcement – cooperation between DPAs to ensure the directive is enforced consistently.
Abolishment of processing – the directive will dispense with the general requirement to notify DPAs of data processing.
Single binding rules – improvements to the current system of binding corporate rules to make these exchanges simpler and less costly through the adoption of a consistent and streamlined approval process with a single point of contact at the DPAs. Binding corporate rules approved by one DPA will then be recognised by all other DPAs across the EU.
Data ownership – place individuals in control of their information and foster a greater sense of trust with customers through transparent data processing. Obtain explicit specific consent from individuals and detail how information will be used by the business and any third parties. Enable greater data portability, making it simpler to transfer data to alternative service providers. Instate the “right to be forgotten’ so that an individual can request the deletion of data.
Compelled disclosure – oblige data controllers to notify those individuals concerned and the relevant DPA of any data breach as and when it is discovered.
While these changes promise to break down borders, they will also place greater onus on the European business to empower the individual, monitor and delete data, and to report breaches instantaneously. While these are commendable, the costs involved are not insignificant and it is unclear how and when these changes will be brought into effect. Consequently, businesses will be left to interpret the changes in a legislative vacuum. Furthermore, European businesses will continue to be hamstrung by the US PATRIOT Act which currently allows US-based enterprises to flout EU data laws.
One method of monitoring and evaluating the impact of the reforms is comparative risk benchmarking. This will enable businesses to assess the impact and costs of the changes, and to pinpoint how specific sectors, corporate demographics and geographies are implementing them. It will also reveal any increase in risk brought about through change management as businesses make changes to accommodate the requirements.