The new EU Data Protection Regulations - has anyone remembered the customer?
The revisions to the EU Data Protection regulations sounded so promising. Announced in January 2012, the consumer’s right to privacy and protection were at their heart. They included the “right to be forgotten,” giving individuals the power to remove their data from sites they no longer use; the need for “explicit” consent to be given for the handling of personal data; and the requirement that data breaches should be reported to the local information authority and the victim within 24 hours. This seems like plain common sense to most of us. Of course companies should be held to account for data breaches. And of course personal data should only be given with explicit consent.
Predictably, there has been a fuss. Almost 4,000 amendments have already been submitted from organisations which fear that the reform will be threatening and/or costly for them. Companies whose livelihoods depend on internet commerce are fiercely protective of the customer data they have spent so long gathering and analysing, and those organisations with less than robust security systems are alarmed by requirement to report breaches.
More surprising is the fact that both the EU and also the UK government appear to be losing their nerve. The assurance from Viviane Reding, the vice president of the European Commission, that the reforms would be largely complete by the end of the Irish EU presidency in July 2013, seems highly unlikely to be correct as more and more changes emerge. Astonishingly, the UK Information Commissioner’s office itself has been one of the chief naysayers, complaining about the cost of its own increased reporting, and publishing a survey about the ill-preparedness of British businesses to cope with the changes. While David Cameron has not himself condemned the reforms, nor has he prevented his cabinet minister Chris Grayling from declaring that they will damage British business.
A compromise text has now been prepared by the council, along with proposed amendments from the Irish Presidency. Already these make depressing reading. Originally intended as the more prescriptive “regulation” rather than the locally adaptable “directive”, the council is now considering the weaker option. Instead of “explicit” consent, “unambiguous” consent will be required for the use of personal data. As for the reporting of data breaches, the presidency now suggests that notification only needs to take place for breaches which may result in “severe material or moral harm” - and this within 72 hours rather than 24.
Such serious dilution of the EU Commission’s original proposal is very disappointing. In an information economy, trust is everything and it helps nobody if the authorities listen only to the clamorous protests of vested interests. Ignoring the rights of the customer will not help us to fight our way out of our economic difficulties. Changes that protect customers always meet with resistance. When PCI (Payment Card Industry) regulations were first announced there were similar levels of protest, yet the result was not only increased data security but a new boom in technology companies helping to simplify the process for businesses. Similarly, the cookie laws were deemed impossible to enforce, yet we are all familiar with the brief disclaimers on even the smallest data collecting websites.
At the end of 2012, Viviane Reding stated; “We want to open new growth opportunities that Europe needs, and at the same time, we want to make data protection an effective right for everybody.” What a wasted opportunity if this does not take place.