Debate: Is the EU Data Protection Act reform Necessary?
Brian Honan and Stewart Room
Brian Honan,founder, BH Consulting
The EU Data Protection Directive dates back to the 1995 when the landscape was much different. With the advent of cloud computing, the explosion in social media networks, mobile computing technology and outsourcing of data processing, the limitations of legislation designed two decades ago are clear.
This overhaul of the EU Data Protection Directive is necessary for both individuals and businesses. Individuals need assurance from organisations that their personal data will not be misused or compromised.
Businesses looking to reap the benefits of modern technologies face a potential legal minefield in trying to ensure they comply with the EU Data Protection Directive. Not only are they legally obliged to ensure any personal data exported outside of the EU is done so in line with the legal requirements of the Directive, they may also need to ensure that even within the EU they comply with each individual member state's adoption of the principles of the EU Data Protection Directive.
In order to ensure the individual is protected in today's interconnected world and to enable companies to embrace new technology it is essential the Directive is brought into line with how technology and society has changed since it was first drafted in the last century.
Stewart Room, privacy lawyer and partner, Field Fisher Waterhouse
The sad fact is that the Parliament had an opportunity to nail this regulation a year ago, when the momentum was with the reform agenda. Instead, they got themselves trapped spending months and months on tiny points of detail, driving the reform agenda into a wall. Now, the momentum is with the Eurosceptics, who will be better represented after the election. The vote takes things nowhere. The best thing that the new leaders can do would be to scale back on the ambition and tackle some key points with more precision.
The proposed new regime will make it much easier for regulators to take enforcement action against companies and to impose very large fines. For instance, the breach disclosure regime - notifying security incidents to regulators - will cause a “financial penalty sausage factory” to exist at the heart of data protection law. The new rules will make it simpler for regulators to sanction mere technical breaches of the law.
The impression that Europe's preference for far reaching regulation means that Europe is becoming “anti-business,” which may harm inward investment and stifle innovation.
The regime will add considerable costs to the bottom line of business. Compliance costs money and there are lots of compliance tasks within the EU's model.”