EU Data Protection Reform – Are we nearly there yet? In a word, no.

The EU’s plans for an overhaul of data protection laws have suffered yet another set-back. After much speculation from commentators that the June 2014 deadline was unrealistic, the EU Justice Commissioner Viviane Reding finally conceded in a speech at a meeting of EU justice and home affairs ministers in Athens last week that the draft Data Protection Regulation will not be agreed during the current term of the EU Parliament.

This most recent delay has been caused by EU ministers failing to reach agreement before starting negotiations with the EU Parliament and the Commission. The draft Data Protection Regulation was first published by the European Commission in January 2012 and has proved to be one of the most controversial proposals ever to come out of Brussels, with over 4000 amendments proposed to the Commission’s original draft.

New timetables have been proposed and Viviane Reding has made some optimistic statements that there will still be a new data law by the end of the year. However, the reality is that we will have to wait and see how discussions regarding the draft Regulations progress following the forthcoming parliamentary election season. There currently remain fundamental differences among Member States and some significant changes of approach will be needed if a consensus is going to be reached.

The UK is currently calling for the proposals to be watered down and for the Regulation to become a Directive, giving each Member State the opportunity to interpret the requirements in a way which best suits them when adopting the Directive into national law. However, this approach is unlikely to be welcomed by international businesses looking for consistency regarding the application of data protection legislation cross Europe.

The one consensus which appears to exist among Member States is the acknowledgement that a change of some description to the current data protection regime is required. In the UK, the core data protection legislation has been in force since 1998 and is outdated and often incompatible with the technological advances which have been made in the last 16 years. Updated legislation, which reflects the world in which businesses are now operating and the advances which are likely to occur over coming years, is likely to be welcomed by all, but only if it is clearly drafted, thoughtful and well-reasoned. No one wants another piece of hastily constructed legislation which raises more questions than it answers. We’ve already got the cookies legislation for that!

Data Protection Reform Update

In January 2012, the European Commission proposed a major reform of the EU legislation regarding the protection of personal data. The aim of the new proposals was to update the current Data Protection Directive (95/46/EU) passed in 1995 in order to provide a higher level of protection over EU citizens’ personal data. It is also meant to consolidate and harmonise data protection laws across all EU member states. Another key objective of the proposals is to ensure that the revised law addresses the recent developments in technology to cover progressions in e-commerce, social networking, and cloud computing. In terms of compliance, the new regulation is set to be stricter than the previous law with harsher enforcement and penalties. As the draft regulation will be directly effective in member states, there will not be a need for local legislation to implement it.

 Key provisions of the Regulation 

  • Most businesses (including public sector bodies, private sector businesses with over 250 employees, and businesses that demand regular data monitoring) will be required to appoint or designate a data protection officer to ensure that data controllers and processors fulfil their duties, and monitor the implementation of policies. 
  • Companies will have to be more transparent about what they require data for. They can only collect the minimum amount of data that they require for a specified intention. 
  • Data subjects should have the right to ‘erase’ their personal data through a ‘right to be forgotten’. 
  • The activities of data processors will also be brought within the scope of the draft regulation. Previously, the Directive applied only to the data processing activities of data controllers. Furthermore, the regulation will also apply to data controllers who offer goods or services to data subjects in the EU, but who are not themselves established in the EU. 
  • Both data processors and data controllers will be required to implement security measures to strengthen online privacy. 
  • Data controllers will be obliged to inform the relevant national data protection authority of a data security breach within 24 hours of becoming aware of the breach.

 Although the regulation cannot enforce criminal sanctions, there will be more significant consequences of breaching the draft regulation. This will include fines of up to 2% of a business’ annual turnover for intentional or negligent breaches.

 According to the current timescales, the draft regulation is to be implemented before the European Parliament elections in May 2014, but is not likely to apply to the UK until 2016 at the earliest. Despite this, businesses should continue to keep informed about the proposed changes to ensure they are in a position to fulfil the requirements and comply with the key provisions when the time comes.

Graphing privacy

Graph SearchLast month, Facebook announced its latest innovation: Graph Search, widely regarded as an attack on Google’s dominance in the online search market.

Graph Search is being rolled out gradually across Facebook’s billion-strong user base, and will enable people to conduct “real language” searches of Facebook users. So you can search for “people in Tunbridge Wells who like Pizza Express”, and you’ll get a list of Facebook users who live in Tunbridge Wells and who have clicked the “Like” button on Pizza Express’s website at some point.

Like almost everything that Facebook does, this has given rise to some serious privacy concerns. Web developer Tom Scott started an Actual Facebook Graph Searches on Tumblr, giving some of the more embarrassing, amusing or even alarming examples of Graph Search results.

Facebook’s response to these concerns is that Graph Search will only show information that users have agreed to be made publicly available in their privacy settings. However, Graph Search undoubtedly makes that information far more accessible and usable to the world at large. It’ll be interesting to see if any European data protection commissioners challenge Facebook’s actions here – perhaps arguing that people cannot have given properly informed consent, since Graph Search is so innovative that people could not have had it in mind when they agreed to Facebook’s privacy terms.

As I’ve written before, people tend to focus too much on what information companies hold about them. However, the real impact on privacy comes from what companies are able to do with the data they hold about you: making connections, drawing inference, building up a surprisingly accurate picture about you from what may appear only a small amount of information. You could say that Graph Search puts something of this same power of “Big Data” in the hands of ordinary Facebook users – for good or ill.

Passwords: cracking the code

Interesting post by Willard Foxton on password security, describing how the 2009 hacking of the RockYou gaming website started a cascade of website cracking – all too easy in an era where “cryptographic feats that were the stuff of legend in the Second World War” can now “be done on your iPhone”.

Foxton summarises “current best advice” on password security as follows:

The current best advice is to have passwords composed of 20 characters, with no real words, and your gobbledegook has to include upper and lower case letters, symbols, numbers and punctuation, all randomly scattered through the word. On top of that, you need to have a different password for every site you use and change your password for all of them every three months.

I think it’s safe to say that a system whose “best practice” amounts to that is a system that is irretrievably broken.

Are there any legal implications to this? Well, the Data Protection Act requires organisations holding personal data to take:

Appropriate technical and organisational measures … against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

The Act does not prescribe any specific security measures, but the Information Commissioner’s current advice to organisations on passwords recommends:

use a strong password – these are long (at least seven characters) and have a combination of upper and lower case letters, numbers and the special keyboard characters like the asterisk or currency symbols.

This is some way short of the “best advice” set out by Foxton, though how much actual practical difference it makes to security may be a different matter – for now. “Appropriate” measures include striking a balance between theoretical security and practical workability, depending on the risks involved. But it would seem likely that, over time, the gap between what is “appropriate” and Foxton’s counsel of perfection will close.

Rather than tightening up password policies beyond the ICO’s recommendations, there may be a stronger case for looking at measures such as two-factor authentication. I adopted this for my personal email account after reading this chilling account of how a hacked Gmail account enabled Mat Honan’s entire digital life to be wiped out earlier this year. Google offer two-step verification for their accounts, which is relatively simple to set up and use, at least if you own a smartphone.

I’m not aware of any guidance from the ICO as yet on the use of two-factor authentication. What the ICO does insist upon, however, is the use of encryption for any mobile devices holding personal data (laptops, memory sticks, tablets). If your organisation is using such devices without encryption, you should correct this straight away – or risk joining Greater Manchester Police in the dock with a £120,000 (or more) penalty.

Data protection: out with the old, in with the new

The widely-trailed revision to EU data protection law has been unveiled today by the European Commission, who have proposed a “comprehensive reform” to EU data protection legislation.

The fundamental change is moving from national laws made under a harmonising directive, to a single regulation which will apply directly across Europe. While it’s going to take a little while to work through all the details – and the proposal still has to be discussed and ratified by EU member states and the European parliament – the key changes as summarised in the Commission’s press release are:

  • A single set of rules on data protection, valid across the EU.
  • Unnecessary administrative requirements, such as notification requirements for companies, will be removed. This will save businesses around €2.3 billion a year.
  • Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors – a requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the Regulation provides for increased responsibility and accountability for those processing personal data.
  • For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours).
  • Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU.
  • Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed.
  • People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). This will improve competition among services.
  • A ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate grounds for retaining it.
  • EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.
  • Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company.

In addition, there will be a new directive to “apply general data protection principles and rules for police and judicial cooperation in criminal matters”.

The “right to be forgotten” has been the most widely-publicised measure under consideration, and will certainly raise some tricky practical issues. However, I suspect that the biggest practical impact will come from the requirement for explicit consent, where consent is required. At present, certainly under UK data protection law, a lot of reliance is placed on implied consent; see, for example, the Information Commissioner’s guidance on the new cookies law, as discussed in a previous post. Explicit consent will greatly increase the practical burden on many businesses.

The new law, if adopted, will come into force two years after it is adopted, giving businesses and other organisations time to prepare for the new regime.

Data protection: tighter rules on the way in 2011?

The European Commission last month announced plans to overhaul data protection legislation. The aim of the new legislation is to strengthen the rights of individuals and to ensure that data protection rules are more consistently enforced. However, the current proposals are likely to place an increased burden on data controllers who could face greater penalties for non-compliance.

In its discussion document, A comprehensive approach on personal data protection in the European Union (PDF), the Commission states that the revision process is intended to address a number of “specific challenges”:

  • the impact of new technologies;
  • the need for increased data protection harmonisation and legal coherence within the EU;
  • simplifying the law on international transfers of data; and
  • stronger enforcement and an enhanced role for national data protection authorities.

The overriding aim is:

to protect the fundamental rights of natural persons and in particular their right to protection of personal data.

The discussion document then sets out a number of ways in which these challenges can be addressed in order to accomplish that aim. Some of the key ones for businesses are:

  • Increasing transparency, especially in privacy policies and as regards children. This could include standard forms of privacy notice.
  • Mandatory notification of personal data breaches.
  • Increased rights for individuals to have their data deleted (the “right to be forgotten”) and to withdraw their data from a service provider’s systems (“data portability”).
  • “Clarifying and strengthening” the rules on consent to data processing, in order to ensure that truly “informed consent” is given for processing.
  • Adding new categories of “sensitive” data, such as genetic data.
  • A requirement for “Privacy by Design” covering the design, deployment, use and disposal of technologies.

Observers have pointed out a number of areas of potential difficulty. The “right to be forgotten”, for example, seems on the face of it to contain a contradiction – because companies would need to keep lists of people they were required to have “forgotten”. More pertinently, data may refer to more than one person: where you and I both feature in a group photograph on Facebook, your “right to be forgotten” may conflict with my wish for the photograph to remain available.

Similarly, it is difficult for data controllers to know they have been given “informed consent” for processing without a certain amount of information already being retained and processed about an individual. It also seems doubtful whether standard forms of privacy notice could cover the limitless variety of different ways in which personal data is used.

Conclusion

Current data protection law is far from ideal, and so an overhaul is to be expected. However, the track record on EU legislation in this area will leave many businesses concerned as to the impact of any changes. The Commission document refers to “the fundamental rights of natural persons”, but (apart from references to “enhancing the internal market dimension of data protection) says little or nothing about the role of data processing in encouraging business activity and economic growth. Some of the proposals floated in the document, such as requirements for “informed consent” and the “right to be forgotten”, could present considerable administrative challenges to data controllers.

From a UK perspective, moves to increase “harmonisation” and “coherence” for data protection are likely to mean a considerable tightening up of the law. To date the UK has tended to take a more relaxed view towards data protection issues than some other EU jurisdictions, for example in allowing “implied consent” for processing where others require explicit consent in writing.

The Commission is inviting responses to its discussion document in a consultation period closing on 15 January 2011, and draft legislation is then expected some time during 2011. It remains to be seen what form this will take, but companies whose business is based heavily on data processing will want to keep a close eye on developments over the next twelve months.

Data protection penalties: the ICO bares his teeth

The Information Commissioner’s Office (ICO) has announced the first monetary penalties (PDF) under new provisions introduced into the Data Protection Act earlier this year.

Hertfordshire County Council has had a penalty of £100,000 imposed on it after faxing highly-sensitive material (in one case relating to child sexual abuse) to the wrong recipients, while employment services company A4e faces a penalty of £60,000 after losing an unencrypted laptop containing the details of 24,000 users of community legal centres. The ICO will no doubt be glad that its first use of its new powers have allowed it to send a clear signal to both the public and private sector.

For a long time the Data Protection Act was perceived to lack teeth: fines for breaching the Act could only be imposed by the Information Commissioner if a data controller breached an enforcement order put in place after a previous breach. This meant that even very serious breaches (such as when HMRC lost details of millions of child benefit recipients) could go unpunished if they were a “first offence”.

The new monetary penalties regime (s.55A DPA) allows the Information Commissioner to impose civil monetary penalties where there has been a serious contravention of the Data Protection Act (occurring on or after 6 April 2010) of a kind likely to cause substantial damage or substantial distress, and where either:

  • the contravention was deliberate; or
  • the data controller knew or ought to have known about the risk (and the likely consequences) but failed to take reasonable steps to prevent it.

The maximum penalty that can be imposed is £500,000.

The civil penalties regime significantly alters the risk profile for data protection breaches. Previously the main consequences for most organisations from a data protection breach have been reputational rather than financial. The ICO has shown how keen they are to use the new powers to make data protection a far higher priority for businesses and other organisations. Hertfordshire County Council and A4e will surely be only the first of many cases over the next few months and years.

Google Dashboard: full disclosure?

This morning, Google has launched Google Dashboard, a “privacy dashboard” intended to help users see what information Google holds about them across its various services.

Google is able to track a huge proportion of its account-holders’ online activities. Google has my personal emails (27,473 conversations since 2004), my personal contacts’ details, a full history of my web searches and of much of my web browsing. It knows what videos I’ve watched on YouTube, and what RSS feeds I’ve read through Google Reader.

It’s useful to have this summary of the different ways in which Google knows about us. That said, does this really tell us what Google knows? As any company in the data management business can confirm, the power of personal data comes not from the raw information, but from the ability to analyse that information in order to identify patterns of behaviour and so on.

So a criticism that could be made of Google Dashboard is that it is an example of “informing to conceal”. We are given apparently comprehensive details of the information Google possesses about us. But the real privacy concerns – not to mention the commercial value to Google of the information – comes from what they are able to deduce about us from this information: and that, not surprisingly, they are keeping to themselves.