1 February 2012

EU DATA PROTECTION LAWS – WHAT DOES IT ALL MEAN?...

Google
After yesterday’s post on data protection, I thought it would be logical to follow with some info on the EU proposal for new data protection laws...
17 years ago, the EU’s 1995 Data Protection Directive set a milestone in the history of personal data protection, and whilst its principles are still valid, the differences in the way that each EU country implements the law have led to an uneven level of protection for personal data. In addition, the rules were introduced when the Internet was still in its infancy and the digital age has brought with it increasing and sometimes unexpected challenges for data protection. With social networking sites, cloud computing, location-based services and smart cards, we leave digital traces with every move we make. Evidently, we now need a new set of rules that is future-proof and fit for the digital age.
What are the proposed changes?
  • The right to be forgotten will help people better manage data-protection risks online. When they no longer want their data to be processed and there are no legitimate grounds for retaining it, the data will be deleted. *
  • Explicit consent will be required for data processing rather than be assumed.
  • Data Portability: companies must make it easier to transfer personal data from one service provider to another by making this information readily available to individuals.
  • Breach Disclosure: companies and organisations will have to notify serious data breaches without undue delay, where feasible within 24 hours. *
  • A single set of rules on data protection, valid across the EU will benefit companies operating in several EU countries as they will only have to deal with the national data protection authority in the EU country where they have their main establishment. *
  • International data transfers: individuals will have the right to refer all cases to their home national data protection authority, even when their personal data is processed outside their home country.
  • EU rules will apply to companies based outside the EU, if they offer goods or services in the EU or monitor the online behaviour of citizens.
  • Increased responsibility and accountability for those processing personal data: under the new regime, evidencing compliance will be crucial. Putting a comprehensive data protection programme will become an obligation under the statute. Data Controllers may need to review their contracts with Service Providers to ensure responsibilities are clearly set out and consistent with the proposed law. *
  • National data protection authorities will be strengthened so they can better enforce the EU rules at home by being empowered to fine those in breach of EU data protection rules up to €1 million or 2% of the global annual turnover of the company. *
What will this mean for individuals?
The proposed changes are intended to give individuals more control over and easier access to their personal data and improve the quality of information about what happens to that data once individuals decide to share it. These proposals are designed to make sure that personal information is protected – no matter where it is sent or stored – even outside the EU, as may often be the case on the Internet. Individuals can be confident that they can go online and take advantage of new technologies regardless of where they come from, whether it’s shopping for a better deal, or sharing information with friends around the globe.

In summary...
I am no lawyer, but luckily, the experts have already done the work of digesting the documentation and finding the most salient points... I have found an excellent summary of the proposed regulation provided by Lawrence Graham LLP. [Updated 19th March: EU-US Joint Statement on Data Protection by European Commission Vice-President & US Secretary of Commerce]

My parting shot... *
You may have noticed the asterisks I have put after some of the bullet points above, and this is for where the PCI DSS standard will be very helpful... Think about it, it is the only comprehensive set of data security controls that I know of, and if you just replace everywhere it says “cardholder information” by “personal information”... I leave the rest to you...

Until next time...