Readers of the Digital Law Daily News Summary today will have seen two prominent stories from Info Security magazine today regarding the passage of the proposed 2012 EU Data Protection regulations. Why is this so significant?
The proposed regulations will amount to a major step – change in how Data is stored online by Governments and Businesses in the EU, given that the regulations that are currently in use date from 1995 Data Protection Directive. These in turn led in the UK to the Data Protection Act 1998. However the world was a very different place in 1995. Less than 1% of the UK was online in 1995, and those that were enjoyed in the main very slow dial – up connections which took an inordinate amount of time just to download a photo or send what would then have been a very novel e-mail. Mark Zuckerberg himself was just 11 at the time and it is unlikely that even he envisaged the Billions that he would eventually generate through the FaceBook IPO some 17 years later. Yet it is these regulations which govern the storage of data online now through the cloud and the multitude of Social Media platforms. A rewrite is clearly long over – due.
Consequently the arrival of the proposed 2012 regulations was eagerly anticipated earlier this year. The 1995 regulations have in turn been interpreted in subtley different ways across the EU when they were enacted into domestic legislation with the result that in the German state of Schleswig – Holstein, where they have a particularly strict interpretation of of the German Data Protection Laws, it is no longer possible to “Like” anything on Facebook. The state Legislators felt that it was illegal for Facebook to store such information on each user’s preferences, and as a result, despite Facebook offering a compromise whereby “Liking” would have become a two – stage process with each users being asked to tick a box to signify their consent. This powerfully illustrates that if a strict interpretation of the current data protection laws could lead to such action, a new set of Data Protection Regulations, depending on how they are drafted, could lead to similar measures being taken against social networks and cloud computing providers if they were felt to be contravening any new EU wide regulatory system. Not surprisingly, the UK Information Commissioner’s Office (“ICO”) has been quite vocal in raising their concerns that small and medium enterprises must not face strangulation from an overly onerous and repressive new Data Protection framework.
That is why the news today makes very interesting reading against this backdrop. Only a few weeks ago there was a meeting of EU Home Affairs ministers at which these same draft regulations were discussed, and of they are to come into effect in 2012 they will have to move forward very swiftly. The release by Statewatch of a leaked copy of the response from individual EU states to the regulations shines a light on the views of the members who would be required to ultimately work under the new set of rules. The regulations are set to operate through the use of “delegations” and several states are anxious about this system being used as it potentially allows for greater interference from the EU in adding to or amending the Data Protection Regulations in future. In the technologically driven world of Data Protection this is probably a sensible provision from the EU in order to try and prevent the type of stasis behind the currently outdated legislative framework. However Belgium, France and the UK have all shown they have reservations over the use of Regulations, and have voiced their preference for another Directive. Meanwhile Italy has stated that it is fully in favour of having Regulations.
This division of opinion has been reflected in the Opinion of the European Economic and Social Committee. Even if a Regulation is used over the option of another Directive, the committee is of the view that “Member states should be free to adopt provisions under national law in areas not covered”. It too harbours the same concerns over the use of “delegations”
France in particular has taken issue with the “Right to be forgotten”. This principal, enshrined in the proposed regulations, would allow for any individual to be able to leave a social network. It followed hot on the heels of the fact that it was impossible to leave early versions of Facebook and LinkedIn – once you were in, you were in for life. Pressure from rights groups led to a very visible change in policy by Facebook. However, the French are quite rightly asking how effective this can truly be. They have asked if erasure would cover removing data, or just the access path to it. This is a very pertinent question. Take the average Facebook profile, with the streams of comments, photos, posted articles, videos and game profiles. If a user leaves Facebook, will all of their contributions to a comment thread disappear? Would photos in other users profiles which appeared when they were tagged, be removed? In effect, how far reaching would the right to be forgotten be? The European Economic and Social Committee is certainly of the view that the “Right to be forgotten” should apply right across all social media.
The Committee is also of the view that search engines and those providing cloud computing space should all come within the remit of the Regulations. This could have the effect of bringing the EU into conflict with some of the largest corporations in the world, including Google, Facebook, Microsoft and Amazon. The question would then be exactly how much these businesses value the European market, and how many resources they would commit to complying with regulations when it may simply be easier not to supply them to EU member states in the first place.
The need under the Regulations to report Data Protection breaches within 24 hours is seen by the UK and Liechtenstein as being particularly onerous on SMEs, with the potential to massively increase overheads and administration costs. The UK would like a requirement for a Data Protection Office in every business with 250 or more staff to be relaxed, while the Economic and Social Committee would like to see this provision tightened further. While it is currently in the depths of a recession, despite the current bubble of the gold rush in the Olympics, the UK Government is asking how it can possibly support regulations which could make it even more expensive to run a business than it already is. The UK has also drawn attention to the fact that the Regulations are seen as being a “Schengen Agreement”, which the UK is not a member of. Consequently these proposed regulations may have no effect in the UK anyway. Yet given the Regulatory framework is clearly in need of reform, this would not be an ideal state of affairs.
These have become known as the “2012 Data Protection Regulations”. However, these developments would appear to suggest that a common Data Protection Framework across Europe remains some way off, the net result for Europe is that the US will continue to forge ahead as the powerhouse for social media and cloud computing while the EU continues to bicker with itself about what should or should not be permissible. Against the backdrop of a global economy undergoing seismic changes, this could be catastrophic for the EU, which will have been long left behind by the time it gets its house in order