In 1995 the European Union first implemented data protection regulations for its 15 Member States. Now 18 years later, with EU membership totalling 28 countries, the European Commission is drafting an extensive data protection reform measure that is likely to radically change if not completely transform the 1995 directive.
The 1995 directive was implemented in order to regulate the movement of data within the EU and to ensure that every Member State created an independent national body to oversee the protection of data.
The official aim of the 1995 Data Protection Directive:
“…Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data. Member States shall neither restrict nor prohibit the free flow of personal data between Member States…”
Calls for Reform
In January 2012 the European Commission publicly proposed plans for reform that hope to meet the expectations and standards of the 28 Member States. Technology has advanced dramatically since 1995 and yet the objectives that are embedded in the 1995 Directive are still applicable today. So why now are there calls for reform across Europe?
In a survey, the European commission found that 26% of social networkers and even fewer online shoppers at 18% felt in control of their personal data online. The survey found that 90% of respondents desired uniform protection data policies across the EU. Evidently then public distrust is a good starting point for looking at the need for reform.
In 1995, only 1% of Europeans used the internet on a daily basis now approximately 78% of Europeans use the internet with the rise of cloud computing and social networking. The increase of internet users has made the transfer of data online become increasingly complex and fluid. With these changes the problem of disparity between Member States has become more noticeable. Companies have faced increasing difficulties in trying to comply with all 28 Member State regulators.
The rise of cloud computing has meant that data can be administered in Paris, warehoused in London and accessed from Madrid. Data is regularly fed in and out of countries but the irregular legal parameters make the movement of data particularly problematic for global companies.
Mandatory corporate rules are often used by companies for data protection however these rules must be certified by at least three independent data protection bodies. This is an inefficient process which costs businesses on average €130 million a year and is seen as a bulwark against globalisation.
To learn more about the Data Protection Act please check out our blog: Data Protection: What is it and how does it affect your company?
The Road to Reform
The Commissions’ main objective is to simplify and streamline regulations creating an even playing field for global competition which will help facilitate the expansion of the growing digital economy.
The key changes will include:
- A single set of rules for every Member State.
- One data protection authority (DPA) will be accountable for a company even if it is doing business globally.
- Individuals given easier access to their own data.
- Allowing individuals to more liberally move personal data from one service provider to another.
- Companies will have to become more responsible for personal data and companies with over 250 employees will have to acquire an independent data protection officer.
- Verifying that businesses outside the EU that are offering goods or services to members within the EU are expected to comply with EU regulations.
- Specification of ways in which individuals can erase their own data.
- Enhanced communication between the data subject and the data processor, especially in instances when confidential data has been breached.
- The Member States, the supervisory authorities and the Commission will encourage codes of conduct to be drawn up to act as comprehensive guidelines for those processing personal data.
- Individuals will be given the right to use judicial action against a supervisory body.
What does this mean for Data Protection in the UK?
As it stands the only two EU countries that are not in favour of these changes swiftly going ahead are Sweden and the UK. Both countries are concerned about the legislative timetable of the directive. Whilst other Member States are hopeful for an agreement to be reached by the end of 2014.
Currently data in the UK is governed by the Data Protection Act, which has been widely criticised for failing in its intended purpose. Data blunders by the NHS and Barclays have led to renewed calls for the proper protection of data. Businesses in the UK can expect higher fines under the new directive, fines up to £1 million, and tighter management of document systems.
When the reforms do come into effect, most likely in 2015, businesses need to be ready to implement the new directive. The offsite storage industry in particular will be closely monitoring the passage of reform and will be applying these changes into their handling of business documents.
This reform is going to indirectly affect all 500 million citizens in the EU and will have consequences globally for businesses in and outside the EU. As such the European Union should expect a long year of negotiation and compromise ahead.