Directive to send strong signal on data protection

"With a large majority vote, @Europarl_EN committee has sent a strong signal tonight: as of today data protection is made in #Europe. "

With that tweet – immediately after the important European Parliament civil liberties committee vote on Monday night – the European justice commissioner Viviane Reding gave a thumbs up to the latest negotiating stage for the reformed data protection directive that she introduced nearly two years ago.

The proposed directive was a major focus of Ireland's recent stint in the EU presidency, when Reding praised efforts by the Government here to push through initial discussion and reform. Some 4,000 amendments to Reding's original legislation, many of them hammered out in Ireland, were approved by a surprisingly swift and almost unopposed 49-3 vote (with one abstention).

In the wake of whistleblower Edward Snowden's revelations about US National Security Agency spying, MEPs chose to sharpen protections on third-party access to data, while holding companies that divulge personal data accidentally or deliberately, to increased sanctions and fines.

A parliament statement noted: “Responding to mass surveillance cases, MEPs inserted stronger safeguards for data transfers to non-EU countries.”

German MEP Jan Philipp Albrecht, who as rapporteur led the committee negotiations on the directive, said at a press conference: "In the future, only EU law will be applicable when citizens' data in the EU will be used, independently of where the company using the data is based, be it in Germany, Ireland or the US."

Legislators also added an explicit consent requirement for gathering and using data, and a “right to erasure”.

All of these elements are likely to make companies far more cautious about how they manage data.

"Europe is setting the data- protection agenda, and maybe the benchmark, and the rest of the world will have to follow," says John O'Connor, partner and head of the technology and commercial contracts group at Dublin legal firm Matheson.

Many of the US technology companies most likely to be directly affected by the draft directive’s provisions on handling personal data, including most named as part of the US NSA’s secret Prism data- gathering initiative, have their European base in Ireland and will no doubt be closely watching discussions.

O’Connor says that under the approved proposals, data protection is being shifted from a relatively low-level compliance issue to a board- level, high priority risk concern. “Corporations have known for years that sanctions for non-compliance with data protection have been incredibly low. That has really changed.”

While the draft will now go back to the parliament as well as the 28 member states for further discussion, and almost certainly further revision, O’Connor feels that post- NSA, increased sanctions for data breaches as well as the “right to erasure” of personal data are likely to remain as part of the final directive.

The right to erasure is a watering down of Reding’s proposed “right to be forgotten”, as organisations will only be expected to remove data if – within certain constraints – it doesn’t infringe on freedom of information or personal expression.

However O’Connor notes that in recent months it had appeared as if politicians would remove the controversial right entirely. Many businesses, especially US internet search and social media companies, had complained it would be expensive and potentially difficult to implement.

He sees the retention of that right, and increased sanctions against data breaches (rising from the initially agreed 2 per cent of a company’s annual global turnover, to 5 per cent – potentially millions of euros, even billions in the case of corporate giants like Google) as a clear indication of European anger over US surveillance revelations.

Other elements of the legislation retain general business support, particularly the “one-stop shop”’ harmonising data-protection law across all 28 states, instead of the current fragmented approach.

This is expected to save significant business costs and also to make it easier for smaller companies to compete for business across the EU.

One grey area is cloud computing, as on the face of it, US companies, even those running separate European data centres for European clients, seem obligated to hand over data held in the cloud if required under US laws.

“This really impacts on the global phenomenon of cloud computing,” says O’Connor, who notes that it might be a major spur to the development of European cloud firms, whose clouds and clients would not be subject to US laws. However, the use of encryption in the cloud, and the question of who – cloud provider or client – retains the private key for decryption, will pose further conundrums, he says.

Irish MEP Seán Kelly, who is industry committee rapporteur on data protection for the European People’s Party Group, expresses general satisfaction with the vote.

“Overall, I’m pleased enough with data protection as we have approved it by vote,” he says. He retains some concerns about the legislation’s impact on small- to medium-sized enterprises (SMEs), journalistic freedom and health research, but adds he is hopeful these could be addressed as negotiations continue at parliamentary and member state level.

In the case of SMEs, he says he would have preferred a proposal to fully scrap any requirement for SMEs to have a designated employee, or a dedicated officer, to deal with data protection.

Instead, SMEs with more than 5,000 clients must have someone in this role, even though he argues that often small companies would have little involvement in handling data.

“SMEs are crucial to the growth of Europe and any extra burden is going to have a cost,” he says.

He also feels that journalists should have an exemption when processing data for investigative purposes. As currently written, he feels that privacy protections are likely to have the side effect of protecting the rich and famous from a legitimate scrutiny of their affairs.

He also expresses concern that the ability to do medical research of public and individual benefit could be severely hampered by provisions requiring individual consent.

In Ireland, such a provision would possibly affect the storage of so-called Guthrie Cards, with blood samples from newborns. These were threatened with destruction due to data-protection laws before Taoiseach Enda Kenny made a commitment to find a legal way to preserve them.

The draft legislation now moves on for further discussion in parliament and member states, but it is expected that MEPs will wish to have the final vote on the directive by May, before the next round of parliamentary elections.