The European Parliament has voted − by an overwhelming majority − to significantly overhaul current EU data protection laws.
A single data protection law looks set to replace the existing patchwork of national laws. The new law will impact almost every business operating within the EU and, consequently, many businesses outside the EU.
The UK is recognised as having some of the weakest and abused data protection laws in Europe, but things are about to change.
The new European Data Protection Regulation is calling for one law across the continent. The changes could have a weighty impact upon corporate UK and will be backed by hefty fines.
The Data Protection Act 1998 came into being in March 2000 with most requirements coming into play by October 2001 through EU Directive 95/46/EC. The Act required bodies, which record and use personal information to register with the Information Commissioner.
With the rapid growth of technology, stored information, and the internet explosion, the Act set out to:
- Protect the rights of and privacy of individuals
- Ensure information held about them was not processed without their knowledge
- Where possible with the individual’s permission
- Related to living individuals
- Defined a category of sensitive personal data
The Act covered data held in electronic formats, but also included data held in manual filing systems. Effectively this meant that any stored information relating to an identifiable living person, was covered by the Data Protection Act. Unstructured manual data was exempt from various aspects of the Act.
To any individual or organisation holding data, this meant they were responsible for any decisions with regard to its processing, and that any processing should be carried out according to the eight data protection principles:
- Personal data shall be processed fairly and lawfully
- Personal data shall be obtained only for a specific and lawful purpose, and shall not be further processed in any manner incompatible with that purpose or purposes
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
- Personal data shall be accurate, and, where necessary, kept up to date
- Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose
- Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act
- Appropriate technical and organisational measure shall be taken to prevent the unauthorised or unlawful processing of personal data and the accidental loss, destruction or damage to personal data
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data
Changes are on their way
In January 2012, however, the European Commission proposed a comprehensive reform of the data protection framework.
Because of the many changes technology has delivered, the aim of the new proposal is to harmonise data protection rules throughout the EU, do away with the patchwork of differing laws across member states. A consistent approach is essential for business and individuals.
The proposal currently under debate is a development of existing legislation, not a radical revolution. It is necessary because the existing legal framework is being abused and is becoming less and less relevant with the advent of new technologies. Industry needs a consistent law across Europe to make it easier for it to conduct business; to achieve this you need some degree of prescription.
The Regulation will establish one single data protection law across all EU Member States. This will be a major benefit for international businesses and other organisations, which currently have to grapple with 28 different national laws.
The reason behind this is that, as a Directive, the European Data Protection Directive required local law implementation. Each Member State implemented the Directive differently. In contrast, the Regulation will have direct effect. Once adopted, it will apply automatically across all the EU Member States: one continent, one law.
What will happen next?
There is considerable political will in Brussels to have the text of the Regulation agreed by the Council of the EU in 2014.
The EU Parliament LIBE Committee has announced that it intends to hold a plenary vote on the Regulation on 14–17 April 2014. This vote is expected to be a mandate for the Regulation, either in the current form of the Compromise Draft or with those further amendments agreed by the Council of the EU.
Although the UK and Sweden are opposed to this swift timetable, the rest of the Member States appear to be in favour of reaching agreement in 2014. Businesses and other organisations, which think they might be impacted by the Regulation, are, therefore, advised to keep a close eye on these developments.
Alison Jackson is co-founder and director of document management software developer Lindenhouse Software.