This week, after nearly four years of debate, European Union officials finally reached agreement on a new EU-wide digital privacy law. The law, which must still be approved by the EU Parliament in January, creates a strict new legal framework for how companies can use individuals’ personal information.
Stuart Buglass, vice president of Consulting at Radius Worldwide, who has 15 years’ experience advising high tech multinationals on overseas data protection/privacy regulations and compliance, says there are both positives and negatives to the new law from a business perspective.
“Most of the provisions of the GDPR simply refresh what is already included in the existing directive, so for those data controllers that are already compliant the step-up required by the GDPR should not demand too many upgrades,” says Buglass. “Having said that, it remains to be seen what benchmark will be required to comply with the privacy by design, the right to be forgotten, the consent requirements and data breach notification provisions…all of which will have even greater significance given the large penalties that could follow a breach.”
Among the positives is the fact that companies will now have just one set of rules to follow. The new law will replace a patchwork of 28 different sets of national privacy laws. Having one set of data privacy rules operating across all member states is a big improvement, said Buglass, but enforcement will still be a matter for local courts and their interpretation of the laws.
“It remains to be seen how consistency can be maintained between Member States,” says Buglass. “Nor will there be a single data protection authority – each country will continue to have its own regulatory authority.”
Fines could be substantial
On the negative side, the new law requires that consent from individuals must be explicit and must be given each time the processing or use of the data is expanded or changed.
That “could have ramifications for businesses that apply ever-changing analytics as part of the march for Big Data,” says Burglass. “In many cases the current practice of getting a single consent box ticked at the point of initial collection will not be enough.”
The new law will also boost the bloc’s previously small privacy penalties to potentially billions of euros. Determining fines was one of the major sticking points in reaching an agreement on the new law. The EU Parliament wanted a 5% fine and the Council wanted a 2% fine. On Tuesday, a compromise was reached. The final ruling was that a breach could result in a fine up to 4% of a company’s global gross revenue, which could be a very big sum for a large company.
“This will raise major concerns in the boardrooms of all large multi nationals including U.S. social media giants such as Facebook and Google who have a long history of run-ins with the European courts on data privacy infringements,” says Buglass.
Extraterritorial reach
Buglass says one provision of the new law that may have great impact on businesses but is likely to attract less attention than the large penalties is the extraterritorial reach of the law, which will apply to all companies that collect data on EU data subjects, and does not require the Data Controller to be ‘established’ in the EU.
All Data Controllers that utilize EU citizen data will have a duty to document their data processes including categorizing data types, ensuring there is an audit trail that records the recipients of data, ensuring that time limits are applied to data retention, and providing better data access to individuals.
A processor has liabilities, too
Under the current Directive only Data Controllers are liable for privacy breaches. Third party data processors operating on behalf of the data controller do not have liability for breaches. But under the new law individuals will be able to sue data processors for damages. The law also specifically includes storage as an act of data processing and as a result there can be no argument that storage in the cloud is inside or outside of the law.
The bottom line
Buglass says the biggest impact of the new law will likely be to organizations that are currently free from EU data protection laws – namely data processors and those data controllers that are not deemed to be established in the EU – both of which will find themselves liable for breaches of any EU data they have in their control.
One last bit of good news: If the final draft gets approved by the EU Parliament in January, it will be two years before it will become law – giving businesses plenty of time for further discussion and time to put action plans in place.