EU proposes shake-up of data protection regulation

The European Union's data protection proposals will have implications for all businesses and consumers

The European Union is set to overhaul data protection laws in an attempt to bring them in line with modern business practice. In a move that will have implications for cloud service providers, the EU is looking to harmonise regulations so that there are no longer 27 different privacy laws for global business to deal with.

Announcing the proposals, Viviane Reding the EU justice commissioner said that the European data protection laws hadn’t changed since 1995, pointing out that in 1993, the Internet carried only 1 percent of all transmitted information, compared to the current figure of 97 percent.

She said that the harmonisation of the individual countries’ regulations would and the introduction of a single directive would “create a strong, clear and uniform legislative framework that will help unleash the potential of the Digital Single Market. It will do away with the fragmentation that will save businesses around 2.3 billion euros per year. The new regulation will remove barriers to market entry – a factor of particular importance to small and medium-sized enterprises.”

Reding went to point out that this harmonisation would also lead to a greater efficiency for compliance. “There will be a regulatory'one-stop-shop' for businesses for all data protection matters. A company will have to comply with one law for the whole of the EU territory. It will only have to deal with one single data protection authority. It will be the data protection authority of the member state in which the company has its main establishment.”

One fundamental concern – of political interference - is also being addressed "Data protection authorities must be independent from political and economic interests and have resources to do their job. They will need to work closely together – especially in cross-border cases – to make sure that the rules are across Europe,” said Reding.

A third strand to the new proposals will be the imposition of clear rules for international data transfers. Reding said that in a world where physical boundaries are meaningless, we need to rethink the way we transfer data. “It seems odd that data held by a European company is adequately protected whilst it is inside the borders of the European Union, but not when it is transferred to a different part of that same company in Asia or South America, even when there are safeguards in place,” she said. “In the Internet age, data protection laws need to take account of this global dimension.”

The EU has responded to concerns from both customers and businesses. Reding quoted a recent survey that revealed that 72 percent of Europeans were concerned about how companies used their personal data, while businesses have their own issues in dealing with the myriad regulations.

"The collation of harmonised data protection rules across 27 countries will without a doubt save organisations from a headache,” said Jeff Finch, security services manager for Interoute.

“The next step is to look for harmonisation with laws in other countries like the US, where the Patriot Act enables authorities to search telephone, e-mail, and financial records without a court order.  Thus, understanding where data resides and in whose data centre will continue to be a crucial part of corporate governance for organisations," he added.

Another central factor of the proposed changes is a toughening up of the regulations on dealing with data breaches. Reding said that the proposals would be mean that consumers would be swiftly informed when their personal data is lost, stolen or hacked.”

She added that she was preparing to introduce a general obligation for data controllers to notify data breaches. Companies that suffer a data leak must inform the data protection authorities and the individuals concerned without undue delay.” 

According to Bert Oosterhof, EMEA director of technology for data management company Informatica, the change will mean that data protection will move higher up the corporate agenda. He said that the company was already attracting interest from major companies who were looking at ways to handle their structured data better.

But some industry observers are concerned that the EU is moving too slowly and whether the onset of cloud computing render the new rules redundant before they are actually implemented. "If it is a further two years before internet companies are legally obliged to comply with the latest changes, will they still be relevant" asked Francois Zimmermann, chief technology officer for Hitachi Data Systems UK.

“To implement effective data management policies the rules and policies should be updated as part of an evolutionary process, with changes being introduced as and when they are needed, rather than in a raft every few years or so,” he added.

Sign up for our free newsletter