EU approves data protection law but critics remain

The European Parliament approved a draft law on data protection on Wednesday, but the mooted changes are still to win universal approval from all in the infosec community.

EU cyber security plans welcomed, with insistence that objectives must be achieved
EU cyber security plans welcomed, with insistence that objectives must be achieved

All 28 European Union member states gave the plenary vote the green-light, with the draft law being approved by 621 MEPs but rejected by 10 (22 MEPs were absent). The law could yet face further tribulations, however, given that the E.U Parliament is due to disband before the next elections in May – one month before MEPs are due to argue on how to move forward with the law.

The laws, the first significant changes to European data privacy legislation since 1995, have been under discussion since 2012 with a view to being fully ratified in 2015 and implemented in 2016, and will introduce a number of changes that will have a dramatic effect on how consumer data is stored, and how companies respond in the event of a data breach.

In particular, the changes will stipulate that companies must pay up to €100 million (approximately £82.2 million) – or 5 percent of their global turnover – in the event of a data breach – a sanction opposed by a number of large American and European companies – as well as the right for individuals to have the “right to be forgotten” when they change to another online service.

Furthermore, explicit consent will be required for businesses looking to process data, while companies will need to inform users, paying or not, of data breaches “without undue delay”. There's some speculation about what this constitutes, although Justice Commissioner Viviane Reding believes that 24 hours should be achievable for any organisation. (Update: Article 31 and 32 of the draft Regulation states that companies should notify the regulator within 72 hours).

The changes haven't come without concerns however. At the International Cybersecurity Forum in Lille, France in January, Bird & Bird lawyer Gabriel Voisin said that the “question remains if it becomes positive law,” while DigitalEurope said on Wednesday that the regulation is “ill-suited to the digital economy”.

"The text adopted at today's plenary session of the European Parliament is over-prescriptive. It will hamper Europe's ability to take advantage of new ways of using data. This will put Europe at a disadvantage to other parts of the world that are embracing the new technologies," it said in a statement released on Wednesday.

But perhaps the biggest criticism came from Field Fisher Waterhouse privacy lawyer Stewart Room, who said that the changes are being driven by a 'lame duck'.

“Yesterday's European Parliament vote on the draft Data Protection Regulation has been heralded by some in the Parliament and the European Commission as cementing-in the new regime.  Nothing could be further from the truth,” he told SCMagazineUK.com, adding that the law has been criticised for being over ambitious, disingenuous and for handing out ‘heavy handed' fines. 

“The Parliament is a lame duck, in the last few weeks of power and as happens in these situations, the incumbents are trying to bind the hands of the successors.  Every Parliament tries this trick and it rarely works.  

“The sad fact is that the Parliament had an opportunity to nail this a year ago, when the momentum was with the reform agenda.  Instead, they got themselves trapped in a cycle of navel gazing, spending months and months on tiny points of detail, exhausting the Parliamentary time available, driving the reform agenda into a wall.  Now, the momentum is with the Eurosceptics, who will be better represented after the election.  The vote takes things nowhere.  

“The current EU leaders have left the law and regulation in a terrible state.  This hiatus is no good for anyone.  The best thing that the new leaders can do would be to scale back on the ambition and tackle some key points with more precision.”  

Others, too, have expressed concerns that while the changes will likely be welcomed by consumers, they will cause problems for most European businesses.

“While consumers will welcome the fact that the European Parliament has voted through the EU's first major overhaul of data protection legislation since 1995, many European businesses will be feeling nervous,” Christian Toon, head of information risk at Iron Mountain, told SCMagazineUK.com

“The reality is that many remain underprepared, as demonstrated by a recent study revealing that only 45 percent of mid-sized businesses across Europe have an information risk policy in place.

“Businesses that fail to address the issue now not only run the risk of significant financial penalties in the near future, but may also risk serious reputational damage that will make customer retention more complicated…Companies must see this announcement as a wake-up call and use the time they now have to review and tighten their information management policies to make sure they are in a position to comply fully with the proposed changes to legislation if, or more likely now when, they come to pass.”

Lior Arbel, CTO of data specialist Performanta added in an email exchange with SCMagazineUK.com that the emphasis will now fall on how companies gather and safeguard data.

“Whilst the news is a vital first step in improving data protection, more needs to be done to make companies liable for the data they gather and force them to deploy necessary safeguards,” he said.

“Many companies do not currently have the technical support to match any new data protection rules. Businesses therefore need to take proactive steps to ensure its information is properly monitored and secured, from external and internal threats, with effective information security controls."