Several weeks ago and just before the EU published its proposals to replace the EU Data Protection Directive 95/46, I wrote, admittedly somewhat tongue in cheek, about what might be contained in the new draft. [The right to be forgotten, Smart e-Discovery blog, 24th January, 2012]. Since then, the EU has produced its proposals to a chorus of indifference other than from some quarters of the business world who grumbled that it was all going to be more expensive.
In New York, at Legal Tech 2012, only one US lawyer asked me what I thought about the proposals. However switched on the US Legal fraternity may be (and they generally are), they are clearly not goggle-eyed about what is going on in Brussels. Not that I blame them when they have a presidential election coming up with the GOP making all the wrong noises and with the Democrats staying oddly silent on most if not all the issues of the day. I suppose that they assume that their man will win as the incumbent while the challengers tear themselves apart. However unlikely a President Romney or a President Gingrich may seem to us, I find it surprising that President Obama and his team have little to say at this time.
I have already expressed the view that the new EU proposals will be a long time in the making. It is one thing to publish proposals in an EU context and quite another to see those proposals translated into reality that can be enforced around the nation states. It is not my purpose to provide an exhaustive (and exhausting) analysis of the new proposals but it is worth mentioning some of the highlights.
- There are to be increased penalties for mishandling personal data. Reports suggest that fines may be up to 1 million euros or 2% of turnover.
- There is to be a single set of rules on Data Protection valid across the EU.
- There is to be increased responsibility and accountability for those processing personal data.
- Data breaches are to be notified to the National Agency within 24 hours.
- Companies will only have to deal with one agency, namely the Data Protection Authority in the EU country where a company has its main establishment.
- There must be an express consent to process data. No longer will it be possible for consent to be assumed.
- There will be enhanced rights to data portability.
- The right to be forgotten. I must admit I have difficulty with this, not because I think it is a bad idea but because it seems to me to be totally unrealistic. We all know how difficult it is to delete information from computers or to unsubscribe from those pestiferous sites which keep sending unwanted emails. How the right to be forgotten is to be enforced remains a mystery.
- The EU rules are to apply if personal data is handled abroad by companies active in the EU and offering services to EU citizens.
- There will be a new directive to cover data protection principles and rules for the police and judicial co-operation in criminal matters. I hope this does not mean any further extension of the pernicious European arrest warrant.
It is not my intention to comment on each proposal individually. I will say, however, that we all need to be aware of the proposed changes even if they are likely to be contentious, costly and difficult to enforce.
Never mind! We can be sure that there will be plenty of time to think about that before the legislation is enacted and the directive comes into force!
Photo: facebookjustice