The European Union just delivered an unwelcome Christmas gift to the US tech industry with a radical shake-up of data protection laws that will boost the rights of the individual consumer, but place fresh burdens on businesses.
Four years in the making, the text of the General Data Protection Regulations and the Data Protection Directive was finally signed off yesterday.
The regulation is due to be voted on in the Civil Liberties Committee today and, assuming it is approved, will go the European Parliament as a draft law in the new year.
By 2018, the new rules will be enforced across all EU member states.
There’s a useful digest from TechUK on the requirements of the new legislation - read here - but among the highlights:
- Businesses will need to seek consent (unambiguous or explicit) more often from consumers.
- Cloud-providers, data centers and data processers will now be liable for data held on their services.
- Increased restrictions on the use of profiling to support products and services.
- Limits on further processing of existing data, which critics argue will make it more difficult for many organizations to drive innovation.
- Mandatory notifications will have to be made within 72 hours of companies discovering a data breach.
- Fines for non-compliance of up to 4% of global revenue.
- The ‘right to be forgotten’ enshrined in EU law.
Věra Jourová, Commissioner for Justice, Consumers and Gender Equality declared yesterday:
These new pan-European rules are good for citizens and good for businesses. Citizens and businesses will profit from clear rules that are fit for the digital age, that give strong protection and at the same time create opportunities and encourage innovation in a European Digital Single Market.
But that’s not the view from businesses and their lobbyists.
Digital Europe, which represents US vendors such as Google, IBM, Apple, Oracle and Microsoft as well as European firms such as Siemens and SAP, says:
The final text falls short of the original intentions for this crucial piece of legislation. While we acknowledge that the instrument may bring greater consistency to the varied interpretations of data protection laws across Europe, the result fails to strike the proper balance between protecting citizens’ fundamental rights to privacy and the ability for businesses in Europe to become more competitive.
We fear that the text agreed upon between the European Commission, European Parliament and the Council of Ministers last night will undermine the ability of businesses in Europe to invest, innovate and create jobs.
UK-based tech trade associationTechUK adds:
There is no doubt that in the short term innovative data driven businesses of all sizes will face more bureaucracy, more legal uncertainty and more risk. However the big test will be whether Europe's consumers and citizens really do feel better informed and protected as a result of the new rules and whether Europe's businesses are able to stay at the forefront of digital innovation. Much will depend on the implementation of the Regulation and the role that Europe's Data Protection Authorities play in interpreting and applying the new rules…Time will tell whether this Regulation underpins or undermines Europe's ambitions for digital growth.
Meanwhile Matthew Fell, Interim Chief Policy Director for the CBI (Confederation of British Industry), warns:
Business supports a digital single market in Europe which works for both consumers and business, increasing jobs and growth as part of a reformed EU. Data is fundamental to delivering this and while the protection of that data is absolutely essential, these measures miss the mark for both businesses and consumers.
From driving research and development in healthcare to powering our free social media and search platforms, data analytics is a vital part of modern business. This new legislation could hamper that with unnecessary administrative burdens and costs, like mandatory data protection officers, placed on firms of all sectors and size.
And Stewart Room, head of the data privacy practice at PricewaterhouseCoopers, concurs:
Most companies will be shocked at the scale of the new rules and the work that needs to be done. Major retailers, the banking sector, and any entity that is aiming their marketing and promotion to consumers are especially at risk, as is any entity that uses data around children. Technology companies will also be in the firing line.
Not every business is against the tougher regime of course. Security intelligence firm LogRhythm is upbeat, as well it might be with its call for organisations to make sure they have the “tools, training and strategies” in place to meet the demands of the regime. (LogRhythm can obviously point interested parties in the right direction here. Every cloud etc etc.)
Ross Brewer, vice president and managing director for international markets at LogRhythm, declares that:
If this doesn’t act as a wake-up call for businesses, I’m not sure what will. What I do know is that this is a massive step forward in the fight against the bad guys.
Other, perhaps more sophisticated, analysis will undoubtedly emerge over the coming months. For now, what we do know is that in Europe we’re entering a whole new era in the digital, data-driven economy, one that has global ramifications.
As Ross McKean, head of the data protection practice at law firm Olswang, notes:
We have now moved from an era of relatively laissez-faire regulation of data in Europe to having the most stringent data laws in the world…This is not a compliance or legal challenge; it is much more profound than that.
There's a been a clear need to update existing European data laws to reflect the modern world, but this 'bugger's muddle' doesn't meet that challenge. Far from encouraging innovation, the new rules are more likely to consign Europe to the global digital economy's slow lane.
It's typical of the overarching 'big government' mission creep that embodies EU legislative thinking that a key proposal in all this was the mindboggling stupid idea of raising the age of social media consent to 16! Fortunately even the Eurocrats finally twigged how hard it was going to be to run around closing down 14 year olds Snapchat accounts or removing 15 year olds from Facebook.
Would that a similar burst of sanity had surrounded the 'ne'er do wells' charter - AKA the 'right to be forgotten', the soon to be legislatively-enforced blunt instrument for rewriting history.
Now the ‘fun’ really begins. Sigh.