Data Protection - The big switchover

This article was first published in Utility Week in January 2012

A quiet revolution is currently taking place in Brussels' corridors of power.  The process of reform of the European data protection legislation has been going on for over two years, but we are about to witness a crucial legislative development.  When the European Commission unveils in the coming weeks its proposal for a new data protection framework, it will become the most significant global legislative development affecting the collection, use and protection of personal information of the past 15 years.

The draft legislation crafted by the Directorate General for Justice, Freedom and Security has already been circulated around other Directorate Generals and the final touches are now being applied.  Why is this such a critical development?  What does the draft say and how will it affect utility companies?

Legal changes

Although built on the foundations of the existing data protection directive, the new framework will bring with it considerable changes aimed at rejuvenating a law which has lost its effectiveness to tackle the data privacy changes of the 21^st century.

The main novelties introduced by the new regime will be as follows:

• A Regulation – It is widely accepted that a regulation, rather than another directive, will be the best mechanism for a harmonised regime that delivers a consistent level of protection across the EU.  This means that once adopted, the regulation will be directly and universally applicable across all EU Member States without the need for national legislation.  There are obvious pros and cons to this approach, so whilst a single law will be beneficial to companies operating internationally, UK companies will lose the benefit of the business-friendly approach of the UK data protection legislation.
• Applicability based on establishment and targeting of European residents – Any company that processes personal data in the context an EU-based establishment will be subject to the new law in any event.  However, the regulation will extend the applicability of European data protection rules to organisations established elsewhere that direct their processing activities at, or monitor the behaviour of, individuals who live in the EU.
• Privacy principles – Existing data protection principles like transparency, finality, proportionality and data quality will continue to be at the core of the legal framework.  But in addition, there will be some new ones like data minimisation (i.e. personal data must be limited to the minimum necessary) and accountability (i.e. personal data must processed under the responsibility and liability of the controller).
• Consent – Individuals' consent will remain a cornerstone of European data protection law but the standard for valid consent will be higher than ever before, with a greater emphasis on the individual's freedom of choice.  The following enhancements are likely to be part of the new rules on consent:
  
  
  • The controller must bear the burden of proving that the data subject has given consent.
  • If the consent is to be given in the context of a written declaration on another matter, it must be made distinguishable in its appearance from this other matter.
  • Consent will not provide a legal basis for the processing, where there is a significant imbalance in the form of dependence between the position of the data subject and the controller.
• Stronger rights – Some rather radical changes are likely to come in the shape of new or strengthened individuals' rights.  Top of the list will be the much publicised right to be forgotten followed closely by data portability rights.  No doubt the Commission will want to give people as much control as possible over their data, particularly in relation to profiling activities.  Expanding on the current directive, the regulation will also require companies to provide their customers with additional transparency information such as the period for which the personal data will be stored, the different rights available to individuals and whether their personal data will be transferred internationally.
• Controller's responsibilities – As a flipside of the increased rights of individuals, controllers are bound to face very specific responsibilities ranging from the adoption of policies and principles such as privacy by design and privacy by default to the training of staff and the appointment of data protection officers.  For most companies, this will be one of the most noticeable differences with the existing regime, as putting in place a comprehensive data protection compliance programme will become a legal obligation in the black letter of the law.
• Data breach notification – As is already the case for providers of communications services, an obligation to notify security breaches to data protection authorities (and in some cases to the individuals affected) will now apply to all controllers.  Again, this will represent a significant departure from current practices and will make the likelihood of investigations by the data protection regulators much greater.

• International data transfers – Greater flexibility is expected on this issue alongside an express recognition for binding corporate rules (BCR), which will be available to both controllers and processors.  The European Commission has made it clear that they expect BCR to become the norm for all international companies going forward.  An area of concern however is the potential conflict between data requests by non-EU authorities and the limitations on data disclosures, which will probably require the involvement of data protection authorities in determining how to resolve such conflict.

• Role of data protection authorities – The main novelty on this front is bound to be in relation to their geographical competence.  In all likelihood, the data protection authority of the Member State where the main establishment of a data processing organisation is based will be responsible for supervising that organisation across the whole of the EU.  We can also assume that greater international coordination mechanisms will be in place.

• Enforcement powers – The promise by the Commission of stronger enforcement powers for the data protection authorities is bound to bring harmonised and hefty monetary fines of potentially up to 5% of annual worldwide turnover.

Practical implications for utility companies

Multiple customer acquisition channels, loyalty schemes, smart metering and tougher competition generally, will make data protection compliance a much greater priority amongst utility companies.  In the light of the forthcoming regime, there are some immediate actions that should be at the top of the list, including:

• Legislative outreach activities – The legislative process initiated by the European Commission will carry on in the coming months, so there are clear opportunities to influence the outcome by reaching out to legislators and policy makers both in Brussels and at a Member State level.
• Privacy policies and consent forms – As transparency and consent take the centre stage, the importance of deploying the right privacy policies and consent forms will be paramount.  The time for reviewing their content and channels of communication is now.
• Subject access and other rights – Having suitable procedures to comply with subject access and other individuals' rights will be the key to getting this aspect of compliance right. 
• Accountability framework – Under the new regime, evidencing compliance will be critical.  This means adopting easy to find and understand internal compliance policies and implementing a sensible line of responsibility.  Whilst it is still early to know what privacy by design and privacy by default will amount to, the practice of carrying out privacy impact assessments should already be embedded into product design activities where such products involve accessing or using customer data.
• Flexible international data transfers – The days of blindly signing up to the so-called model clauses and putting the contract in the drawer are over.  BCR are tipped to become the way to go and the only guarantee for an effective global data protection approach.

All in all, it is beyond doubt that the Commission has crafted a framework that aims to address the regulatory requirements of today's and tomorrow's data protection.  How utility companies respond to this challenge will be critical to their success.

Eduardo Ustaran is a partner and Head of the Privacy & Information Law Group at Fieldfisher.