EU Data Protection Reform – Are we nearly there yet? In a word, no.

The EU’s plans for an overhaul of data protection laws have suffered yet another set-back. After much speculation from commentators that the June 2014 deadline was unrealistic, the EU Justice Commissioner Viviane Reding finally conceded in a speech at a meeting of EU justice and home affairs ministers in Athens last week that the draft Data Protection Regulation will not be agreed during the current term of the EU Parliament.

This most recent delay has been caused by EU ministers failing to reach agreement before starting negotiations with the EU Parliament and the Commission. The draft Data Protection Regulation was first published by the European Commission in January 2012 and has proved to be one of the most controversial proposals ever to come out of Brussels, with over 4000 amendments proposed to the Commission’s original draft.

New timetables have been proposed and Viviane Reding has made some optimistic statements that there will still be a new data law by the end of the year. However, the reality is that we will have to wait and see how discussions regarding the draft Regulations progress following the forthcoming parliamentary election season. There currently remain fundamental differences among Member States and some significant changes of approach will be needed if a consensus is going to be reached.

The UK is currently calling for the proposals to be watered down and for the Regulation to become a Directive, giving each Member State the opportunity to interpret the requirements in a way which best suits them when adopting the Directive into national law. However, this approach is unlikely to be welcomed by international businesses looking for consistency regarding the application of data protection legislation cross Europe.

The one consensus which appears to exist among Member States is the acknowledgement that a change of some description to the current data protection regime is required. In the UK, the core data protection legislation has been in force since 1998 and is outdated and often incompatible with the technological advances which have been made in the last 16 years. Updated legislation, which reflects the world in which businesses are now operating and the advances which are likely to occur over coming years, is likely to be welcomed by all, but only if it is clearly drafted, thoughtful and well-reasoned. No one wants another piece of hastily constructed legislation which raises more questions than it answers. We’ve already got the cookies legislation for that!

Data protection penalties: the ICO bares his teeth

The Information Commissioner’s Office (ICO) has announced the first monetary penalties (PDF) under new provisions introduced into the Data Protection Act earlier this year.

Hertfordshire County Council has had a penalty of £100,000 imposed on it after faxing highly-sensitive material (in one case relating to child sexual abuse) to the wrong recipients, while employment services company A4e faces a penalty of £60,000 after losing an unencrypted laptop containing the details of 24,000 users of community legal centres. The ICO will no doubt be glad that its first use of its new powers have allowed it to send a clear signal to both the public and private sector.

For a long time the Data Protection Act was perceived to lack teeth: fines for breaching the Act could only be imposed by the Information Commissioner if a data controller breached an enforcement order put in place after a previous breach. This meant that even very serious breaches (such as when HMRC lost details of millions of child benefit recipients) could go unpunished if they were a “first offence”.

The new monetary penalties regime (s.55A DPA) allows the Information Commissioner to impose civil monetary penalties where there has been a serious contravention of the Data Protection Act (occurring on or after 6 April 2010) of a kind likely to cause substantial damage or substantial distress, and where either:

  • the contravention was deliberate; or
  • the data controller knew or ought to have known about the risk (and the likely consequences) but failed to take reasonable steps to prevent it.

The maximum penalty that can be imposed is £500,000.

The civil penalties regime significantly alters the risk profile for data protection breaches. Previously the main consequences for most organisations from a data protection breach have been reputational rather than financial. The ICO has shown how keen they are to use the new powers to make data protection a far higher priority for businesses and other organisations. Hertfordshire County Council and A4e will surely be only the first of many cases over the next few months and years.

The cost of online privacy

The European Commission is taking an increasingly interventionist approach towards internet regulation, particularly as regards individuals’ privacy rights. Earlier this week, the Commission announced that it was taking further steps to require the UK to fully implement EU laws on the interception of communications, while legislation currently working through the European parliament will require all websites using cookies to obtain express permission from users. These measures are particularly aimed at the restriction of “behavioural advertising” (also the subject of an OFT investigation).

In each case, the Commission claims (with some justification) to be acting in response to citizens’ concerns about their fundamental privacy rights. However, this may be a case where European citizens should have taken the old advice to “be careful what you wish for”.

It is unlikely that many people will shed tears over the fate of the Phorm “Webwise” system, which proposed to monitor web users’ activities in order to serve up advertisements matching their interests. The controversy over whether the system was legal under UK law led to the Commission’s investigation into the UK’s implementation of EU laws on the interception of communications, in particular the Regulation of Investigatory Powers Act 2000 (RIPA). The Commission has three complaints concerning RIPA:

  • the lack of an “independent national authority to supervise interception of communications”;
  • the permitting of interceptions where the interceptor has “reasonable grounds for believing” that consent to do so has been given, where EU rules require “freely given, specific and informed” consent;
  • restriction of prohibitions and sanctions for unlawful interception only to “intentional” interception only, whereas the EU law requires member states to impose liability even for unintentional interception.

If UK law has to be tightened, especially on the second and third items, this will have a considerable impact on many businesses, not just those involved in online advertising.

The proposed new law on cookies could have an even bigger impact on online advertising and the surfing experience of European web users. Current EU law requires websites to offer visitors the “right to refuse” cookies. The UK has interpreted this quite broadly, with the Information Commissioner’s guidance (PDF) taking a pragmatic approach in which it was sufficient for companies to inform users in their privacy policies and leave it to individuals to block cookies using their browser settings.

The proposed change is intended to “clarify” the original law by requiring express consent from users before a website places a cookie on their computer. It has been suggested that this will mean websites have to show a pop-up to users entering the site, explaining what cookies are used (and for what purpose) and requesting consent. As many users hate pop-ups even more than they hate online advertisements, this is likely to have a significant adverse impact on many people’s web experience, and put EU-based websites at a disadvantage compared with their international competitors.

In addition, increased refusal of cookies will make online advertising more difficult and less profitable, which will increase the pressure on websites to charge users for accessing content. Again, one wonders whether many people would prefer the current trade-off between privacy rights and availability of “free” content over a web in which they encounter pop-ups and paywalls at every turn.

The Guardian’s recent supplement on the fortieth anniversary of the internet recalled an early (1994) description of the web as a place “where pornographers and Nazis walk freely, where criminals roam unchecked and where anarchy reigns”. These developments are another reminder of how far we have come from the Wild West days of the early, unregulated web. The web is now a highly-regulated environment: it remains to be seen whether it can retain its other benefits as the effects of this regulation become more apparent.