Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

EU Commissioner Says Sweeping Data Protection Changes Still Needed

Roberta Holland | August 20, 2014

The flap over the right to be forgotten should not derail the wider discussion of data protection reform in the European Union, according to the bloc’s new justice commissioner.

EU Justice Commissioner Martine Reicherts said in a speech earlier this week that the debate has become distorted over the European Court of Justice’s ruling on individuals’ right to ask search engines to remove certain links from search results in specific circumstances. Speaking to the IFLA World Library and Information Congress in Lyon, France, Reicherts said while Google and other search engines “complain loudly,” the ruling should not be used to undermine the ongoing data protection overhaul. Claims the ruling will lead to censorship are unfounded, and the decision should be no harder to implement than tracking down the owner of copyrighted material, she said.

Reicharts-martine-0814The search engines “should remember this: handling citizens’ personal data brings huge economic benefits to them,” Reicherts said. “It also brings responsibility. These are two sides of the same coin. You cannot have one without the other.”

Reicherts urged Member States to stick to a commitment made earlier this year to conclude the negotiations on data protection reform, which began more than two years ago. The newer rules would replace the current directive, which took effect in 1995 – light years ago in terms of technological changes. The goal is for European Parliament and the Council to reach agreement this fall so reforms can take effect in 2016. Reicherts noted that if the EU delays too long, it runs the risk of other, weaker standards being imposed on it. “The world will not wait for us,” she said.

Modernized data protection rules will help businesses in several ways, Reicherts said. First, it will replace a hodgepodge of regulatory frameworks with one clear set of rules, and allow companies to deal with a single supervisory authority rather than 28. That should save businesses time and money, Reicherts said. Additionally, the revised regulation will apply to any firm providing goods or services in the EU, regardless of where the business is based.

The reform “will create a level playing field for Europe’s digital industry,” Reicherts said. “Companies located in third countries such as the U.S., when offering services to Europeans, will have to play by our rules and adhere to the same levels of protection of personal data as their European competitors.”

The reform also includes a consistency mechanism to ensure that national data protection authorities, which still will be tasked with making individual decisions, are interpreting and applying rules the same way. The proposed rules include requirements that privacy safeguards be built into products and services from the beginning stages of development, and that “privacy friendly” settings should be the default settings.

Reicherts also defended the need for the stiff penalties proposed, which could be as much as 5 percent of a company’s annual turnover or €100 million, whichever is greater. Penalties under the current system amount to little more than “pocket money” for a technology giant like Google, Reicherts said. “We need to get serious,” she said.

Likewise, businesses should get serious about taking steps now to position themselves in preparation for the forthcoming data protection overhaul, according to guidance issued last month by PricewaterhouseCoopers.

PwC said the draft regulation is three times longer than the existing directive and “significantly more prescriptive.”

“The changes are likely to pose significant new data protection compliance challenges for businesses operating in the EU, as well as for businesses established outside the EU but whose products and services are directed at Europeans,” the July report said.

PwC noted some significant changes are on the horizon, with a much broader swath of businesses required to comply with the rules. Both data controllers and data processers are subject to the proposed regulations. For the first time, data protection rules also will apply to developers of systems for the processing of personal data, like apps or hardware. New rules also would dictate how quickly – and to whom – companies report personal data breaches.

The report warned of financial implications of the rule requiring data breach notification, including reputational loss and even potential drop in share price. The report suggested those financial implications could outweigh the heavy penalties proposed by lawmakers.

Certain companies and organizations, including those that handle the processing of more than 5,000 data subjects, will be required to appoint a data protection officer. PwC said that new position will pose an immediate challenge for companies because there do not appear to be enough qualified DPOs in the market.

Although the final version of the overhauled rules will not be known for some months yet, the main principles are clear, and companies, especially large multinationals, would be wise to take steps now, PwC advised. It recommended companies:

  • Conduct a data protection review to determine their current and proposed “footprint and exposure”
  • Evaluate existing compliance programs and structures
  • Identify personal data collected and stored for subjects in the EU
  • Analyze data processing activities and cross-border and third-party data flows to uncover potential gaps or weaknesses

“The draft regulation offers a means for businesses to save significant costs in the area of data protection, but those businesses must ensure they are fully compliant in order to avoid substantial financial penalties and damage to reputation,” the report said.