Significant impact

Proposals are underway for a fundamental reform of the EU data protection regime. The new regime could introduce far-reaching changes to the way the storage and processing of personal data has been regulated in the EU to date. The draft Regulation will overhaul the existing EU data protection regime and will be directly applicable in all EU member states when it comes into force. It would replace the Data Protection Act 1998 in the UK, and along with it the relatively “light touch” regime that business has been used to.

It is widely recognised that data protection across Europe requires modernisation and has not kept pace with technological developments, not least cloud computing. The dramatic increases in the scale of data sharing, “big data” collecting and storage have further amplified the need for a new approach to data protection of personal data harmonised across all EU member states.

The proposals have been criticised in some quarters for the increased level of bureaucracy that will be involved. The challenge is to provide an adequate level of protection across the single European market which reflects the way business is conducted in the digital age, without increasing the regulatory burden.

There is pressure to agree the draft Regulation before the May 2014 European Parliamentary elections. It is thought more likely, however, that the new regime will be agreed in 2015 and will come into force in 2017, following a proposed two year implementation period. Given the extensive changes that are planned, data processors and controllers and those involved in solutions and data storage should start to consider how to deal with the impact of the Regulation as soon as possible. It is likely to have a significant impact on those involved in compliance, risk management and legal as well as the procurement of storage solutions for personal data. Some of the key changes are outlined here.

Greater accountability

Under the existing UK data protection regime, statutory obligations are imposed on data controllers (who decide the purposes the personal data will be processed for) rather than data processors (who only process data on the instructions of a data controller). Suppliers storing or processing personal data as part of an outsourced service are therefore unlikely to be directly liable under current laws for failures in relation to their customer’s personal data (although there may well be contractual obligations and responsibility in place with the customer). This will change under the new proposal. One of the key aims of the draft Regulation makes clear that data processors and hence storage providers in that capacity will have a new, statutory liability to introduce adequate security measures when processing personal data on a data controller’s behalf. This will have a substantial impact on the liability of businesses that process or store personal data as part of a service provided to third parties.

Data breach notification

At present, except in certain circumstances, there is no statutory obligation for processors to report a data protection breach to the regulator. In the context of storage providers and their customers this is often dealt with by the means of a contractual obligation imposed on the processor to report to the controller – it is then open to the controller to decide if it wishes to inform the regulator. The draft Regulation proposes that data controllers will be obliged to report to the regulator without undue delay on becoming aware of a data privacy breach. Currently there are no proposed materiality thresholds below which a breach need not be notified, which may lead to an overwhelming number of notifications and will have huge implications for businesses as the requirement to notify a breach to the UK regulator is not currently mandatory on all occasions. It is not clear whether a fixed time limit will apply to this obligation, but the UK regulator, the Information Commissioner’s Office (ICO) would prefer not to include one, recognising the potential complexities involved and the time taken to bring together information needed for a comprehensive notification.

Equally in the case of processors the draft Regulation envisages imposing a statutory obligation on the processor to report to the controller. The requirement for a contractual mechanism – although useful - may no longer be strictly necessary.

Dealing with the regulator

The current UK regime does not require processors to register with or notify with the regulator its data processing activities. The obligation to notify rests on the controller in respect of its activities. The new draft Regulation dispenses with the obligation to notify but in its place imposes a new statutory obligation on both processors and controllers to implement risk assessments and policies and procedures dealing with data security and risk (see further below).

Under the current regime processors are substantially shielded from the powers of the Regulator but once the draft Regulations are introduced, there will be a specific duty to cooperate with the Regulator. Processors will need to balance any conflict between their statutory duty to the regulator and their contractual responsibilities to their customers as controllers.

Risk based assessment and policies and procedures

The draft Regulations envisage a less prescriptive notification regime and a more holistic approach based on a risk assessment and policy based regime. It is envisaged that both processors and controllers will have greater accountability and require written procedures in place dealing with data protection. This is more akin to the approach taken in respect of Health and Safety and Anti Bribery and Corruption regulation.

Increased penalties

Enhanced penalties for breach of the Regulation have been proposed including fines ranging from 0.5% of worldwide turnover for less serious breaches to 2% of worldwide turnover for serious breaches (such as not appointing a data protection officer or failing to notify a regulator of a security breach). In the European Parliament’s latest draft this has been increased to fines of up to 5% of worldwide turnover or 100 million Euros, whichever is greater. The current maximum penalty in the UK is £500,000 so this represents a massive increase in potential sanctions.

The ICO is concerned that fines should not be imposed for procedural or record keeping failures alone, and should only apply where failures can be linked to the creation of a significant risk to privacy. It welcomes a compromise suggested by the European Parliament that authorities should relate sanctions to the risk posed by the non-compliance rather than being required to impose them as a matter of course.

Right to be forgotten

A new “right to be forgotten”, or “right to erasure” as renamed in the European Parliament’s recent draft, will entitle individuals to require data controllers to erase their personal data where the purpose for which the data was collected has expired. A data controller who has made data public may also be obliged to take all reasonable steps to have the data erased, including by third parties to whom the data has been transferred. This has clear potential to increase costs and create liabilities for service providers, particularly those involved in social media. The UK Government has expressed particular concerns that the right to be forgotten must be managed so that appropriate qualifications are applied and freedom of expression and maintenance of accurate historical or insurance records are not unduly compromised. This may well have a practical trickledown effect for those at the sharp end dealing with the storage of the personal data

Data protection officers

As part of a drive for greater accountability, the initial draft Regulation proposed that all public authorities and companies with 250 or more employees, whether data controllers or data processors, must appoint data protection officers for terms of at least two years. In the case of a group of companies it will be sufficient to appoint a single officer for the group, although sufficient access to that officer may need to be guaranteed for each group company. In the age of cloud computing, where small controllers can process large amounts of data, the European Parliament has suggested the test should not be based on employee numbers but instead whether processing relates to more than 5000 individuals in any 12 month period. It also suggests that where a data protection officer is an employee rather than a contractor, their term should be secured for a minimum of four years instead of two.

Unlike many European countries, which already have similar regimes in place, in the UK there is in most circumstances no requirement to appoint data protection officers. This represents a significant change in approach, which the UK Government does not believe is necessary. Data protection officer appointments could prove to be expensive for small businesses.

Portability of personal data

Under the Regulation, individuals will have the right to obtain from a data controller a copy of their personal data by electronic means and in a structural and commonly used form. This right is targeted in particular at allowing individuals to seamlessly transition between alternative online service providers and is likely to be welcomed by start-up businesses competing with more established names. Respondents from the business world have not however welcomed this obligation and expressed concern that this right might prove burdensome and costly for businesses, particularly small and medium sized enterprises, who may be inundated with requests from individuals to have their personal data made available to them in an agreed format for re-use.

Transfers outside the EEA of Personal Data

Rather disappointingly the EU has not taken the opportunity to simplify the current convoluted legal regime for the transfer of personal data outside the EEA and so the draft Regulation does not assist with the storage and movement of data in the cloud.

Significant impact

For those in the data storage industry; times are a changing and the regulator is coming. It remains to be seen if the draft Regulation will be implemented in its current form. Those in compliance, risk and legal and IT security may need to take heed of its implications and consider planning for the new regime.