EU justice minister Viviane Reding has been accused of holding a “Sword of Damocles” over business, after finally unveiling the first major shake-up of data protection laws for 15 years.
The proposals, first leaked at the end of last year and now revised, are designed to bring data legislation in line with the Internet age. Although they have been unveiled today (Wednesday), it could be many weeks before the full implications are revealed as industry bodies and lawyers sift through the finer detail.
The main change identified so far is to give consumers the ‘right to be forgotten’ – a move which has been already branded ‘unworkable’.
But it has brought the Commission into direct conflict with the business community – especially online firms – who fear it will bog them down with “onerous compliance obligations”.
As predicted, some of the draconian measures – including forcing opt-in for marketing communications and massive fines for data breaches – have been watered down. Yet the DMA has raised concerns that the proposals still “pose a severe threat to the ability for UK businesses to use data to market their goods and services”.
Commenting on the publication of the draft text, executive director of the DMA Chris Combemale said: “UK businesses need to be worried about the potential impact of the Data Protection Regulation. Severe restrictions on the way in which they can use personal data for marketing purposes will be hugely damaging to sales.
“We’ve achieved some success because the move toward an opt-in only regime for offline direct marketing hinted at in early leaked drafts wasn’t in the official draft text published today. However, we mustn’t be complacent because there remains every possibility this could be reinstated at a later stage.
“There are a number of other points in the Regulation that we are also concerned about and we’ll study these in detail. We fully appreciate the need for data protection rules to be in place to build consumer trust in sharing their information with companies, but getting this balance wrong will have terrible financial consequences to UK plc.”
Another source added: “These proposals are apparently designed to help businesses, but they are like a Sword of Damocles threatening their very existence. Marketing is the lifeblood of many firms, many of Reding’s proposals threaten to kill off long-established practices.”
Meanwhile, Thomas Boué, of the Business Software Alliance (BSE), which represents the likes of Microsoft, Apple, and Siemens, said: “The Commission’s proposal today errs too far in the direction of imposing prescriptive mandates for how enterprises must collect, store, and manage information. The rules should focus more on the substantive outcomes that matter most to citizens. The risk in the proposal’s current design is that it will bog down companies with onerous compliance obligations, which could inhibit digital innovation at the expense of job creation and growth.”
And Wim Nauwelaerts, legal expert at Hunton & Williams’ Privacy and Data Security practice in Brussels, commented: “Introduction of the so-called ‘right to be forgotten’ goes beyond a justifiable desire to enhance individuals’ ability to erase their personal data in the Internet and creates a right that will be difficult to implement and that may have a chilling effect on the use of the Internet in the EU.”
Key changes in the reform include:
• A ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate grounds for retaining it.
• A single set of rules on data protection, valid across the EU, claimed to save businesses around €2.3bn a year.
• Companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours).
• Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed.
• People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). This will improve competition among services.
• EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.
• Independent national data protection authorities will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1m or up to 2% of the global annual turnover of a company.
For DecisionMarketing readers wanting to go over the proposals themselves, the EU has posted the Draft Data Regulation here…
Brussels ‘at war’ over new data laws
ICO: ‘Don’t jump gun on EU laws’
EU data law to balloon email costs
EU data row grows as ICO wades in
Vaizey: EU plans ‘unenforceable’
New laws threaten online ‘havoc’