EU data protection regulations: will they work, and how do we prepare?
Insights, advice and opinion from a Prospect roundtable discussion featuring former GCHQ director Sir David Omand.
They’re coming. No one is exactly sure when but the European Union’s data protection regulations, which will harmonise laws across 28 member states and have an impact worldwide, are on their way. Beyond consolidating a patchwork provision of locally-interpreted legislation that has been in place since directives were introduced in 1995, the aim of these regulations is two-fold: to protect personal data (“a fundamental right”, in the words of the European Commission ) and to ensure the free flow of data (“a common good”).
Businesses, consumers, politicians and citizens will soon have to ask themselves how they should prepare for these changes. But before that, there’s another question that needs asking: will they work? Earlier this month Prospect, in partnership with Trend Micro and Beazley, convened a roundtable discussion to address these two complementary questions.
While there were misgivings among most panelists about the specifics of the regulations, many were in no doubt that the laws were needed. “We don’t particularly like doing regulations,” said Mary Honeyball, Labour MEP for London, “but there are times when you have to. And this is one of those times.”
Mark Brown, executive director at Ernst & Young agreed. It was important, he said, to remember why regulation was required. “It’s because most businesses haven’t cared about this topic … There is no incentive for most companies to do privacy.” Fines in the past have been seen as little more than “a slap on the wrist”, said Brown citing one business executive who described a £500,000 penalty – the maximum the UK information commissioner can apply – as “not even a rounding error for our company”. In turn this has “bred a cultural malaise in most companies”. The prospect of fines of up to €100m or 5 per cent of global annual turnover would focus minds, Brown said. “You can’t provision for that.”
[subhead] Will they work?
But despite the laudable intent, there is devil in the detail of these multi-faceted regulations; as four headline proposals demonstrate.
1. The right to be forgotten
Sometimes referred in the draft regulations as the “right of erasure”, this is an idea foreshadowed by a European Court of Justice ruling earlier this year forcing Google to amend some of its search results. As applied in the context of the EU data laws, it will be “in practice mostly impossible”, said Sir David Omand, former director of GCHQ. “The citizen will be given the impression they have this power and the end result will be fruitless court cases.” Raluca Boroianu-Omura from the British Association of Insurers agreed insisting that the right to erasure was impractical in part because it focused on the online context and ignored the offline. The unforeseen consequence of this, she said, will be conflicting legislation especially in heavily-regulated environments such as insurance. “The fact that a customer calls you up and says, ‘Delete all my personal information’, doesn’t mean you should actually do it,” said Boroianu-Omura. “There should be more legal certainty.”
2. Mandatory breach notifications
Original drafts demanded that any data breach involving the loss of personal data must be reported within 24 hours. The language has since been diluted and there is now a requirement to report “without undue delay”. The change does little to solve a fundamental flaw, said Stephen Bonner, partner at KPMG. “It drives a perverse incentive, as organisations stop looking for these issues because that way they don’t have to notify people.” He added: “All this is about punishing the victims of data abuse – the companies that are having the data stolen – but very little about the criminals. It’s very unlikely that eastern European crime gangs are going to appoint a data protection officer.”
3. Specific consent
Drafts indicate that citizens will have to grant consent each time their data is used. A sensible, citizen-focused idea? Not for medical research which relies on a model of broad consent. “You ask people once and then, under a strict governance framework, reuse their data again and again,” explained Beth Thompson, policy advisor at the Wellcome Trust. The European Parliament has yet to recognise the need for an exemption. “It’s really grave for research,” said Thompson.
The issue goes wider than that, said Sir David Omand, who argued that the concept of personal information in the context of the regulations was “deeply flawed”, especially “given the advances in data processing or data mining which means most anonymisation schemes can be got around.” Meanwhile, Stephen Bonner questioned the notion of consent in an age of Internet of Things . “When my fridge negotiates with my electricity company to get better value overnight because I’m storing a lot of beer for a party, I’m not involved. So the idea that I can review terms and conditions is frankly absurd.”
Others had fewer concerns. Paul Fisher, data security journalist and founder of Pfanda.co.uk, said: “As someone who has basically sold their soul to Google, I’m quite relaxed about the fact that they know an awful lot about what I do because in return I get convenience. I’m much less worried about cyber crime than cyber surveillance.”
4. In-house data protection officers and impact assessments
While there’s nothing wrong with either provision in principle, the resource and cost burden of employing a data protection officer and carrying out mandatory impact assessments cannot be borne by most small businesses. That’s the verdict of Sietske de Groot, senior policy advisor, Federation of Small Business. The provisions apply to any business that has a database containing over 5,000 data subjects (read customers). This is likely to include “the flower shop on the corner”, said de Groot. Data protection is good practice, she said, but these were “very burdensome provisions”.
[subhead] How do we prepare?
Allie Renison, head of Europe and trade policy at the Institute of Directors, echoed the concerns of business which wanted to know what they should be doing in this transition period before the regulations come into law. Ross Dyer, UK technical director at Trend Micro, said that many organisations weren’t even ready to ask these types of questions. He pointed to a piece of research Trend Micro had commissioned which suggested that half of all UK businesses remain unaware of the EU data laws . Meanwhile one in four believe they are unworkable.
Dyer said it was time for UK business to face up to the reality. “It all starts with strategy and policy,” he said. “It’s good practice to know where important data is … and be ready for, and be able to identify when you’ve been breached.” Stephen Bonner from KPMG agreed. “One of the best ways you can prepare is to test your instant response. These events are inevitable. What distinguishes the good from the bad is how well they do that and how they maintain trust with customers in the face of that.”
Paul Hadley, director of the European reform directorate at the Department for Business, Innovation and Skills, recommended that businesses learned from the airline industry when it came to handling breaches. “If there’s a safety issue, they report it. There is no blame culture.”
Shell is one of the companies that has been preparing. Its data privacy legal counsel, Monika Tomczak-Gorlikowska, said: “We don’t have sleepless nights because the organisation has thought about it since the drafts and thought ahead.” Moreover, she said, forward thinking companies had long since applied principles of “proportionality, transparency and accountability” to their approach to privacy.
Back to those timings. The EU data protection regulations were originally floated in 2012 and it was thought they would be passed into law during this calendar year. That won’t happen and now the new European Commission president Jean-Claude Juncker wants them passed within six months. Even that is ambitions, said Andy Lucas, partner at Dentons, although he does believe the “regulation will be pushed through because there is a political imperative [to do so].” Even then, there is due to be a two-year bedding in period which in itself could prove costly for businesses as they look to comply with existing directives as well as the forthcoming regulations.
Between now and then, expect more arguments and dispute. For example, there remains a dichotomy between those who are looking for policies that, in the words of Allie Renison, provide “as much flexibility as there can be” and those looking for detailed exemptions. Renison’s view was echoed by Monika Tomczak-Gorlikowska from Shell who warned against “an overly prescriptive” box-ticking exercise, and by Max Perkins, underwriter with Beazley who insisted that “keeping it simple is going to be key.” Only by making the regulations “high level”, Perkins said, will they be applicable to an evolving technology landscape.
Others remain concerned that the laws do little to address the real issue; namely, consumer behaviour. “Signing up to terms and conditions of big commercial services, without any concept of the privacy decisions they’re making, is a problem,” said Victoria XXX, senior GCHQ liaison officer at the Home Office. Charlie Edwards, senior research fellow and director of security and resilience at the Royal United Services Institute added: “How do we make citizens and consumers more responsible for their data in the digital era? That’s a really challenging issue that a regulation will not actually achieve.”
Charlotte Holloway, head of policy at techUK said: “We do more ecommerce in the UK than the rest of the EU combined. The UK is a leader and has companies that will be most profoundly affected by this. So we need to be crystal clear that this piece of regulation will actually achieve the things that it’s aiming to which is questionable in its current form.”
To that end Paul Hadley at the Department for Business, Innovation and Skills, urged all parties to keep talking. “The UK government will continue to negotiate hard on this but it is incumbent on business and research institutions to talk their European counterparts and really spell out their concerns.”
The ‘EU Data Protection: will it work, and how do we prepare?’ took place on 11 November 2014 at Prospect’s London offices.