Proposals to update data protection laws are making their way through the political process. As David Reed finds out, there is a lot of momentum behind them, but still opportunities to influence their final shape through careful lobbying of politicians.
If all goes well, by April of next year, the final version of the new Data Protection Regulation will have been published. So organisations will be able to set their data strategy for the next decade in the knowledge of what the legal environment will be. If all does not go well, when the final version of the Regulation does get published in April, it will be the same as the draft that appeared in January this year. So those data strategies will have to assume some significant obstacles in the form of consent requirements, data portability, breach notifications and so on.
That means the next six months are critical for lobbyists trying to point out what impact the proposals would have on business. As Caroline Roberts, director of public affairs at the DMA, points out: “The regulations will have had five different committees reporting on them involving one-third of all UK MEPs. So the people voting on it when it comes before the European Parliament will know it well.”
This is an important point because it means all of the political considerations and manoeuvering will have taken place before the Regulation gets voted on. As a result, it is unlikely that there will be any dramatic upset in Parliament with the law being thrown out. Political alignment will have taken place around the proposals during the current consultation period that will ensure the version published next April is acceptable.
European parliamentary arrangements are complex, but boil down to white papers being considered for their implications across a range of issues. In the case of data protection, this is being led by LIBE, the Committee on Civil Liberties, Justice and Home Affairs. This committee is taking the lead role, taking input from four other committees: ITRE (Industry, Research and Energy), IMCO (Internal Market and Consumer Protection), JURI (Legal Affairs) and EMPL (Employment and Social Affairs).
Worryingly for UK data practitioners, the lead rapporteur in LIBE is a German Green MEP, Jan Philipp Albrecht. Expectations of his views have understandably been negative, yet according to Roberts, a recent opinion he published gives grounds for more hope.
“It is not as bad as you might expect and fear,” she says. For a start, it appears that anonymous or pseudonymous data may not get included in the definition of personal data.
Albrecht also notes that the consent requirements as set out in the proposal will also need further work.He believes that technical standards, eg, Do Not Track, are a valid form of providing explicit consent. Furthermore, in order to give data subjects easily comprehensible information, ‘layered privacy policies’ and ‘standardised logos or icons’ should be considered,” says Roberts.
He also suggests that existing privacy impact assessments could be reused in order to be compliant. Systems that conform to the principles of privacy by design and privacy by default may also lower consent thresholds. “On the last point, the working document makes clear that manufacturers and service providers need much clearer guidance and stronger incentives to implement the principles of privacy by design and privacy by default,” she says.
The one aspect of the proposals which has been firmed up and remains of concern is the timetable. When a draft of the Regulation leaked in November 2011, it contained a reference to the legislation going to an “orientation vote” in mid-April 2013 with a view to being passed into law by 2014. This fast-track approach has now been confirmed.
“The view there is, ‘why not 12 months as opposed to two years?’,” notes Robert Bond, partner at Speechly Bircham who has been working with the International Chamber of Commerce (ICC) on its response. “The risk for business were it to be fast-tracked is that to re-engineer what they are doing would need two years. So we have got to watch that schedule like a hawk.”
A key driver of the fast-tracking for new data protection legislation is the plan by Viviane Reding, the European Commissioner who led the drafting, to stand for presidency of the European Commission. “In my view, she would like to ride in on the back of this, so it will have to be ready for 2014.”
To achieve that does place some limitations on what the legislation will look like by April of next year. In particular, many of the details and definitions have been put into “delegated acts” that would only be specified after the main framework has been approved.
“The Information Commissioner in the UK has indicated that he believes the number of delegated acts should be reduced so there is more clarity in the Regulation itself,” says Bond. While the current approach would set the overall tone that companies would need to reflect, it is likely to lack details on what is meant by certain potentially mission-critical details. “There is a need for greater reliance on accountability so business can be allowed to manage compliance, rather than being given prescriptive rules to follow, for example,” he says.
One argument being made is that the proposals should be passed as a Directive, rather than a Regulation. This is an important difference since it would allow for national interpretation and cultural context, rather than imposing a one-size-fits-all solution across 27 member states. However, Bond argues that, “it would be better for business to have a regulation because it creates certainty across the EU.” That reflects the views of the ICC, which is particularly concerned about issues like data transfers that will be of importance to global companies.
The definition of children and how their data is to be protected is a particularly problematic area in the proposals, not least because of widely differing ages of consent across the European Union. At the moment, there is a demand for privacy policies to be created in language appropriate to children under 13 and those aged 13 to 18.
“How do you create that? There is a very big difference in understanding at 13 compared to 18, even if they are both technically children. I have seen reasonable examples done by companies like Disney and games developers who have teenage players. But at the moment, there is nothing specific. Privacy notices are drafted by lawyers for lawyers and not for ordinary people,” says Bond.
Speechly Bircham has used its charitable organisation, The i in Online, to carry out research among focus groups of children into how data protection could be expressed using icons. This has generated a suite of over 4,000 possible images, such as a globe with the word “data” around it to express international data transfers. This could be varied by having a red bar through it or being greyed out to show a company does not send data outside the EU, for example.
It is easy to assume that from 2014, data protection laws will reflect the view of the countries at the heart of the proposals, such as Germany, Ireland and Spain where some of its proposals - funding the data protection authority through fines, requiring a data protection officer - are already in place. Levelling up to this standard is what worries British companies, not least because of the costs involved.
Bond believes that this could prove to be one of the most compelling counter-arguments during the next six months. “If it is seen to be damaging to the digital economy, that is where the business case of extra bureaucratic costs is very focused. If that resonates, there may be some pushback by MEPs on some aspects,” he says.
Roberts says these messages are at the heart of the DMA’s lobbying, such as at a recent meeting with new Minister for Justice Helen Grant and DCMS’s Ed Vaizey. “We are pursuing four themes: the way data is an enabler for growth and how the proposals could stifle innovation; that transparent and permissioned data is a critical business tool; that it is in business’s own interest to protect consumer data and these proposals could be bad for the consumer; and that not all data is the same,” she says.
The UK is among the most developed information societies in Europe, which is why these messages get a warm welcome from ministers. They need to have strong arguments to present within the European Council of Ministers when it looks at the Regulation next year. If a consensus can be formed now and political allies won over the next six months, there is every chance of improving the outcome.
Right to be Forgotten, data portability and extended subject access requests for free are particular drivers of cost within the proposals that industry is keen to see amended. They would require major re-engineering of data management systems and could limit the innovation based around data which politicians have assumed as an economic force in the next decade.
By contrast, there is a growing body of global data protection legislation which is adopting the EU model, such as in Singapore, Malaysia, Indonesia, the Philippines and Columbia. Even in the United States, initiatives like Do Not Track, which is being pushed hard by the Federal Trade Commission, reflect a more consumer-first perspective that the Regulations have at their heart.
Pragmatically, the European Commission has based the proposals on a consumer-first view of data which has many political supporters. Whatever industry says, the proposals may get clarified or parameters drawn more narrowly around them. That could create enough space in which business can continue to operate in a relatively similar fashion to now. But spending the six months talking to MEPs about why changes are needed is vital.
(To send a message to your MEP explaining your concerns about the Data Protection Regulation proposals, use this portal: http://www.writetothem.com/)