In January last year the European Commission announced that the European privacy rules are to be changed. The Data Protection Act and its European equivalents are based on a Directive dating from 1995. The proposed Regulation is intended to create one regime for the protection of privacy throughout Europe. Due to various technical developments around advertisement profiles, cookies and Big Data, this European law will have significant consequences. The European Parliament has approved a substantially revised?
Game of Thrones
The use of personal data has increased hugely since the advent of the Internet. Internet services are usually provided free with advertisements, and to make these advertisements appealing they have to be as specific as possible. Social networks such as Facebook have got this down to an art. Anyone seeking to specifically focus advertisements on Dutch women between 35 and 40 who have recently moved house and enjoy watching Game of Thrones , can do so fully automatically.
Such profiling might be commercially attractive but technically from the point of view of privacy it is a particularly worrying development. The draft regulation has therefore also been made to erect a few obstacles and give citizens control over their personal data. But the proposals are very far-reaching.
Tightening and detailing
The privacy regulation is not a change of principle but a tightening and detailing of the internet environment. For example the ‘right to be forgotten’ on internet has been the focus of much attention. This, however, is no more than a detailing of the existing right to have irrelevant personal data removed.
There are some new aspects. Take the right to data portability: the person concerned must be able to take his or her personal data to another manager, and do so in a standard electronic format. Direct marketing is explicitly regulated. The privacy statement should be stripped of legal language and be "transparent and easily accessible" to the layman. And in the event of "data leakage" - a theft or inadvertent publication of personal data - the supervisor and the person concerned should be informed.
Furthermore, the Regulation imposes more accountability. Governance, process management and compliance are the magic words here. Business processes using personal data should be documented (especially about how consent was obtained). Companies must be able to justify why they can’t make do with slightly less personal data. And many internet companies will have to appoint an independent privacy officer .
To enforce the above, the supervisor will be given the authority to impose a penalty that may be as high as € 100,000,000 per breach or 5% of the worldwide annual turnover. Worldwide? Because ‘getting’ Google, Facebook and other American companies is the explicit intention. According to the draft regulation these fall under European jurisdiction when they process the personal data of European citizens, regardless of in which country they do so.
Early this year the European Parliament proposed more than 350 changes, which tighten the privacy thumbscrews a little more. For example each use of personal data will need a separate act of consent, profiling requires a clear opt-out and a company will no longer we allowed to simply require personal data as a condition of its service provision. In addition, anyone processing the personal data of more than 5000 parties (persons) has to appoint a privacy officer.
The bill has provoked many reactions, particularly from internet and media companies who depend on focussed advertising and profiling. This is understandable, because the cost of compliance will be substantial and especially the direct marketing sector will have to make significant sacrifices under the proposal. This has led to what European commissioner Viviane Reding once called the ‘most aggressive lobbying ever’.
In May 2013 a compromise text appeared that is now being considered by the Council of Ministers. The Council is expected to announce its final decision around October. If Parliament does not agree with this there will have to be negotiations. This is why it is hard to predict exactly when the Regulation will take effect, but it won’t be earlier than 2015.
What can you do now?
Although these are still early days, the privacy regulation will have a significant effect on companies and institutions. Therefore get to work now and make a basis for proper implementation.
- Look into how consent is obtained. Under the Regulation this often has to be obtained separately, and your organisation has to prove this has been done. How will you document this?
- Read your privacy statement again with a critical eye. This statement will soon have to be “transparent and easily accessible”, meaning devoid of all legal language. And is the statement still in line with how your company currently operates?
- Hold your inspection and correction procedures up to the light. It should be possible for these to take place electronically. Does your help desk know what a request to inspect personal data is?
- How ‘portable’ is your storage. Can your customers or relations easily obtain a copy of their data in Microsoft Excel for example?
- Check whether the company processes that process personal data adequately document what data they process and why. This documentation will be legally required.