Philip Nolan looks at the changes ahead and the impact of the new EU privacy rules.
Data is a key strategic asset for many businesses. Many firms compete on the strength of their contact list, and their understanding of their customers’ needs. This trend is likely to continue. More and more, businesses strive to offer personalised services to their customers. They do this by learning more about their needs and preferences. Such use of ‘personal data’ is regulated by European data protection law.
At present, a heated debate is taking place across Europe as to whether and how the existing data protection rules, which date back to 1995, need to be replaced. The European Commission has proposed a new, comprehensive ‘General Data Protection Regulation’. This new regulation will significantly tighten the existing regime and will impose a broad suite of new obligations on businesses. A number of national governments, including Ireland and the UK, have expressed reservations about these new rules and have sought to pare back their application. These draft data protection rules were one of the key legislative reforms tackled during the Irish Presidency of the Council of the EU.
These proposals have also engendered lively debate in the European Parliament. Certain MEPs, particularly Jan Albrecht, a German Green, are campaigning to introduce further restrictions on the ways in which businesses can obtain and use information about their customers. Conversely, a more pro-business caucus, largely led by Munster MEP Sean Kelly, is seeking to refine the Commission’s original proposal to address the realities of online commerce and personalised advertising. So what then does the proposed regulation say?
Changes to consent rules
At present, it is sufficient for a business to obtain implied or inferential consent for the processing of most forms of personal data.
For example, if one directly obtains a business card from a contact, one can infer that this contact has consented to being added to one’s CRM database. More formal explicit consent, such as a signed consent form, is only needed in the limited circumstances where one processes sensitive personal data such as medical records.
The regulation proposes to change this position such that explicit consent will be required for the processing of all forms of personal data. It is difficult to see how this could be effectively implemented in practice.
Individuals transacting in both online and offline environments will find themselves facing an endless routine of opting in and imparting explicit consents. This will include providing explicit consents to businesses for very basic and obvious forms of processing, where previously implied consent was satisfactory.
New administrative burdens
In addition to tightening the basic rules relating to consent, the regulation will introduce a number of costly new requirements for businesses. Privacy impact assessments will become mandatory for businesses that adopt processes which are perceived to present specific risks to individuals’ privacy rights. The use of certain analytics tools, large CCTV systems and biometric technologies will most likely require such assessments to be carried out in advance of deployment.
Companies employing over 250 staff will be required to employ data protection officers to oversee organisational compliance with the new rules. Security breaches will have to be notified to the privacy regulator within 24 hours of a business becoming aware of such.
This is an extremely tight timeframe which will require carefully constructed security breach response plans to be in place in order to ensure compliance. Overall, compliance with these new burdens will mean additional costs for companies doing business in the EU.
A new principle of data minimisation will also apply requiring businesses to develop processes and means of operating which minimise the amount of personal data which they use or require. With the present proliferation of data analytics tools and big data technologies, businesses will be challenged when it comes to availing of these new tools to provide personalised customer services while also seeking to comply with data minimisation principles.
Perhaps the most controversial aspects of these new rules are the fines which may be levied on businesses that breach the rules. Fines of up to 2% of a company’s annual global sales may be levied in the event of a breach of these rules. While is hard to envisage the Irish Data Protection Commissioner levying such a large fine in the absence of an extremely serious breach of the new rules, businesses need to be prepared for far more robust enforcement of data protection law if and when the proposed Regulation is adopted.