An ambitious new framework for a data reliant world

Tech Bytes contents

• An ambitious new framework for a data reliant world
• European Commission ecommerce action plan
• European framework for "notice-and-take-down" procedures
• Creating an integrated card, e-payments and mobile payments market for Europe
• Commission consults on technology transfer agreements
• Public sector information:  EU open data proposals
• Public sector – UK government advocates new strategic approach to procurement
• Let's call the whole thing off – outsourcing exits
• Mobile money: seizing the opportunities

The most radical global attempt ever to regulate the exploitation of personal information is now in the public domain.  Following several weeks of increasing expectation about the content of the proposals, the European Commission published on 25 January 2012 two legislative documents: a Regulation setting out a general EU framework for data protection and a Directive on protecting on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities. 

Looking at the Regulation, the immediate reaction is that after many years of a principles-based approach, the new law will go much further than that and establish a new system of powerful rights and very prescriptive and uniform obligations across the EU.

The draft Regulation sets out very clearly its extra-territorial reach, which as Viviane Reding put it, will apply to companies that are active in the EU market and offer their services to EU citizens – although it is really ‘EU residents’.  What is also obvious is that the new law is targeted at companies operating on the internet and aims to shake up the way they tackle privacy issues.

The bulk of the proposed Regulation brings with it a whole new set of practical obligations for organisations – from data protection by default and the appointment of representatives by non-EU companies to the production of compliance policies and privacy impact assessments, and the compulsory designation of data protection officers.  Plus of course, nearly immediate data breach notification.  These obligations are a trade off for the overall reduction in regulator-facing administrative requirements, but also the basis for a new way of demanding practical compliance in the black letter of the law.

The prospect of substantial monetary fines based on the annual worldwide turnover of a company (up to 2%) may contribute to get the attention of some decision makers, but the real test for the proposed framework will be its viability in an ever-changing data reliant world.

This is by no means the end of the road.  My expectation is that 2012 will be a crucial year to influence the outcome of the new law and policy makers will be looking for input from all key stakeholders.

Fieldfisher will be holding a briefing to discuss the proposed EU Data Protection Regulation on Monday 13 February 2012.  Click here for further details

For more information please contact Eduardo Ustaran, Partner and head of the Privacy and Information Law Group at Field Fisher Waterhouse LLP.