HomepageCommercial LawPrivate LawPublic Law & Human RightsCriminal LawEU & International LawCareers

Accessibility

Have Irlen Syndrome, or need different contrast? Click the button below for options.

Background Colours

Subscribe

Enter you email address below to subscribe to free customisable article notifications.

Alternatively, click the button below for our various RSS Feeds (available journal wide, or per section).

The EU Data Protection Regulation and UK Business

About The Author

Matt Bogdan (Former EU & International Law Editor)

Matt graduated with an LLB (2:1) from Durham University in July 2014. Most recently, he has been assisting with research on comparative company law at the Durham Law School. Matt is primarily interested in the TMT sector, but has also been involved in matters of public international law through Durham United Nations Society.

What is Data Protection?

Data protection law strives to achieve balance between protecting an individual’s right to privacy and supporting businesses by allowing the use of consumers’ data for commercial purposes. In the current age of the Internet, online businesses are able to accumulate vast amounts of personal data from consumers using various online services, such as website browsing, social networking and electronic commerce. This collected data is then processed for a variety of marketing purposes that may include optimising a website’s display advertising (see Chris Bridges’ article on ‘stalking advertising’), sending direct email marketing or analysing customers’ cart behaviour (in e-commerce) in order to recover lost sales. Clearly, amassing consumers’ data is commercially advantageous as it enables businesses to adapt and improve their services to match their consumers’ needs. The question that naturally follows concerns the other side of the data collection ordeal. How does data collection and processing affect the consumer’s right to privacy and how are the associated risks (e.g. security breaches) mitigated? Data protection laws address these concerns and thus are vital in regulating business-to-consumer (B2C) online relations.

Information Age vs. Data Protection

In the European Union (EU) the legislative framework on data protection is primarily governed by the Directive on Data Protection (DDP), which the UK implemented following the Data Protection Act 1998 (DPA). Since the enactment of the DDP in 1995, however, the world has significantly changed. Online businesses have multiplied, e-commerce is blossoming, social networking has become the order of the day. The amount of data available online has been skyrocketing each year; Deloitte has found in its ‘Data Nation 2012’ report that the quantity of data found on the Internet is growing at a staggering rate of 40% a year. While the growth of our digital footprints correspond to the rapid proliferation of online services, our awareness of when our data is being collected is, paradoxically, falling, which may result in abuses of our privacy (see Deloitte’s ‘Data Nation 2013’ report on privacy protection in the ‘Big Data’ age). This perhaps does not come as a surprise to those vigilant individuals who have embarked on the arduous task of reading a privacy policy in full. One study on online privacy policies and formats has found that a privacy policy takes on average 25 minutes to read and that an Internet user would take approximately 31 hours to read the privacy policies on all websites they have visited in a year. In practice, most of us do not go further than a brief skim through these policies. Whilst the current data protection framework includes safeguards against abuses of the right to privacy, it is somewhat unsettling that approximately 30% of businesses across the EU and 14% of businesses in the UK do not comply with the DDP/DPA (survey conducted by Trend Micro). Whether the reasons lie in the paradoxical juxtaposition of the growing digitalisation of the society with the decreasing awareness of personal data exploitation, or in the suboptimal levels of compliance with the current data protection laws, the EU authorities have decided to update the European data protection regime with the forthcoming Data Protection Regulation (DPR).

Data Protection Regulation – Preliminary Points

In 2012, the European Commission proposed a major reform of the system for protection of personal data by publishing a draft of the Data Protection Regulation. While the changes put forward are rather substantial, there are three practical points regarding the DPR to consider before examining its provisions in greater detail.

Merely a Draft

The current draft of the DPR will be regularly amended and revised until its predicted enactment in 2015 (entry into force expected in 2017). Accordingly, while the analysis below concerns the 2012 draft of the DPR, its finalised form may not include all of the changes discussed below. The drafting process may be affected by the March 2014 changes in the composition of the European Parliament, by the November 2014 entry into office of the newly elected Juncker Commission, and by the tensions within the European Council of Ministers, whose position on the DPR remains unclear.

Harmonising Effect

The DPR is a directly applicable piece of legislation that aims to harmonise the data protection laws across the European Union, thus removing the need for Member States to implement the changes into national legislation. In contrast, the old DDP had to be transposed into internal law by the Member States, which naturally led to differences between European data protection regimes (a thorough analysis of the implementation of the DDP has been provided by Douwe Korff). In this respect, the DPR is beneficial for online intra-EU business since providing online services exposes businesses to a range of jurisdictional issues, whose relevance increases where differences between data protection regimes exist. That being said, although the DPR in some ways allows Member States to build upon, specify or depart from the law, this flexibility cannot be compared to the relative freedom afforded to Member States in implementing the old DDP. 

In addition to the pan-European data protection regime, the DPR also proposes a “one-stop-shop” system whereby businesses operating across the entire EU would only have to engage with the data protection authority (DPA) from their country of primary establishment and not with the DPAs in other relevant jurisdictions. This, however, was criticised for limiting the access to justice to consumers located in those other jurisdictions. In October 2013, the European Parliament proposed to replace the one-stop-shop with a “leading authority” system, which requires the primary DPA to consult all other relevant DPAs before reaching a decision. Either system should reduce compliance costs for online businesses engaging in EU-wide trade (the borderless nature of the Internet ensures that most do). 

Territorial Expansion

The draft DPR considerably expands the original scope of the EU data protection regime. The data protection laws will now also apply to data controllers not established in the EU who are either offering goods or services to data subjects in the EU, or monitoring their behaviour (Article 3 DPR). The first requirement is likely to catch most of the businesses dealing in e-commerce, whereas the second should include all service providers who plant tracking devices (e.g. cookies) on data subjects’ equipment. Interestingly, in its initial analysis of the European Commission’s proposal for the DPR, the Information Commissioner’s Office (ICO) has criticised this change for being unattainable in practice and thus misleading consumers into a false sense of security. The two-sided argument follows that (a) establishing that goods or services were “offered” where a business has merely “made them available” should prove problematic and that (b) the enforcement of EU supervisory authorities’ decisions in foreign jurisdictions is unrealistic.

The first of the ICO’s concerns could be resolved with already existing solutions, such as Article 15 of the Brussels I Regulation, which prescribes a twofold mechanism (consisting of a ‘pursuing’ and a ‘directing’ test) that is used to ascertain whether e-commerce vendors have actually entered a given jurisdiction. While the application of Article 15 in itself merits an elaborate debate, it could at least function as a solid starting point for the purposes of the DPR.

Resolving the second of ICO’s concerns requires some creative, common sense thinking from the European authorities. Cooperation between domestic (EU) and foreign supervisory authorities could facilitate cross-border enforcement, particularly since the number of cooperating jurisdictions would be generally limited to the United States, from where most of international online businesses originate.

Data Protection Regulation – Key Changes

While the list of changes introduced by the DPR to the current data protection regime are rather extensive, this article limits itself to the three seemingly most fundamental and disruptive ones. 

Requirement of Consent

Processing of personal data may be deemed lawful only where at least one of the conditions outlined in Article 6 of the DPR are fulfilled. The relatively easiest and most common pathway of acquiring a valid legal ground for data processing is through obtaining consent from the data subject. The industry standard under the current data protection regime allows for treating implied consent as a valid consent. In practice, this means that opt-out agreements as well as pre-ticked opt-in agreements are both sufficient for the purposes of the DDP.

The DPR, however, makes the definition of consent more stringent by requiring a ‘freely given, specific, informed and explicit indication … either by a statement or by a clear affirmative action’. Accordingly, the data subjects will have to show explicit agreement through positive action (such as clicking an online tick-box) in order to render the use of data lawful, thus denying businesses the possibility of relying on implied consent or opt-out mechanisms. Despite the considerable controversy surrounding this change, it is likely to remain in the final draft of the DPR since this unified definition of consent is also used in the E-Privacy Directive and it would be unusual for the EU authorities to create diverging definitions instead of harmonising them. The impact of this change on the online industry should be significant – numerous businesses will have to introduce new consent forms, which will be less beneficial for businesses since consumers are generally less likely to opt-in to data processing rather than to opt-out. As a result, the advantages and/or benefits arising from direct marketing should dwindle. One study on the impact of the DPR on small and medium sized enterprises (SMEs) in the EU has found the ‘additional clerical and legal validation costs stemming from this article to be €633 per year for an SME’.

Consent under the DPR must also be ‘freely given’, which should preclude businesses from making their services conditional upon agreement to data processing and as a consequence, detrimentally affect providers of ad-supported services.

The DPR also prescribes the requirement of parental consent to processing of data of children under the age of 13. Businesses will therefore have to implement technological solutions to distinguish between parental consent and the one of a child. Notably, this change echoes the US Children’s Online Privacy Protection Act (COPPA), which was heavily criticised for being impractical and too onerous on businesses. Thus, a key responsibility lies with the European Data Protection Board, which will be setting out guidelines on how to obtain valid parental consent. 

Strengthening the Data Protection Principles

Article 5 of the DPR outlines the fundamental principles, by which the data controllers must abide when processing personal data. The DPR elaborates and expands on the existing set of principles.

First, data controllers are now required to have ‘transparent and easily accessible policies with regard to the processing of personal data and for the exercise of data subjects’ rights’. This new ‘transparency requirement’ relates to the list of information, which the data subject is entitled to by law (the list can be found in Article 14(1)). Even though the updated version of the list is more extensive, most of the newly added information is usually provided as part of the old ‘any further information’ category from the DDP. Having said that, such express codification is likely to result in additional administrative costs for businesses since the existing privacy policies will have to be reviewed and refreshed in order to meet the more extensive information requirements, especially when it comes to those businesses that so far have been relatively greedy about the information they provided.

Second, the DPR strictly restricts the collection and processing of personal data to the circumstances where it is ‘adequate, relevant and limited to the minimum necessary’ with respect to the purposes for which such data is processed. Accordingly, data controllers will be allowed to store data for longer than it is processed only for historical, statistical or scientific-research purposes, and only where reviews assessing the need for continuing the storage are conducted periodically. Reusing previously collected data for purposes other than the original one will be subject to fulfilling at least one of the data protection principles (Article 5). This change will affect businesses operating as data aggregators, which are enterprises that compile and store information on individuals and sell them to other entities (see Chris Bridges’ article on storing and sharing of ‘anonymised’ private data).

Third, the DPR introduces the new ‘Accountability Principle’ (Article 22), which requires both data controllers and data processors to adopt policies and implement measures that will prove their compliance with the DPR in relation to the processing of personal data. Notably, the old DDP only imposes obligations on data controllers and leaves data processors to be regulated by their controller-processor contracts (in the event of them being separate parties). Hence, if a business happens to offer processing services to data controllers, then the DPR will now regulate their conduct as far as Article 22 is concerned. The key obligations include:

  • Keeping records and documentation about processing activities (Article 28): detailed documentation must be maintained for all processing operations. This requirement does not apply to Micro, Small and Medium Enterprises (MSMEs) employing fewer than 250 persons that processes personal data only as an action ancillary to its main activities. Beyond that threshold, however, the more data a business collects, the more documentation will have to be compiled and therefore the higher the administrative burden becomes.
  • Implementing data security requirements and complying with security breach notification obligations (Article 30-32): appropriate technological and organisational solutions are expected to ensure an appropriate level of security, with security risk assessments being required for every type of data stored. The DPR construes data security as a dynamic concept and makes it clear that security solutions should be maintained at the highest appropriate level of technological advancement. While data controllers are required to report any breaches to DPAs without undue delay, within 24 hours of becoming aware of them, the processors’ duty involves notifying the controller ‘immediately after the establishment’ of a breach. This requirement can prove particularly costly to businesses, particularly where the security breach in question is of minor impact. Businesses may be also pushed to establishing dedicated security breach teams that will follow adequate set of procedures in order to ensure compliance with the DPR.
  • Carrying out data protection impact assessments (Article 33): impact assessments are required before undertaking any processing that presents a specific privacy risk by virtue of its nature, scope or purpose (e.g. profiling or processing data on sensitive subjects like sex life or health).
  • Appointing a data protection officer (DPO) (Article 35(1)): while the 2012 draft imposes the obligation to appoint a DPO on all public sector enterprises employing more than 250 employees and on all firms whose core activity comprises monitoring of personal data, the European Parliament proposed instead that the threshold should be the number of data subjects whose data is processed (at least 5000 in a continuous 12-month period). A DPO’s duty involves supervising the firm’s overall compliance with the DPR (e.g. training staff about data protection, conducting risk and impact assessments or investigating security breaches), which, needless to say, is a considerable task. Interestingly, the EC Impact Assessment predicts that DPOs will only have to work four hours a year to fulfil their duties, which according to Christensen and Colciago is unrealistic, while the predicted costs are underestimated. Notably, if the European Parliament’s proposal for the obligation-activating threshold is adopted, then Article 35 will probably ‘catch’ many SMEs, who may struggle to bear the resulting economic costs.

Empowering Data Subjects

The DPR includes a number of amendments to the existing provisions on data subject’s rights, among which the following are of particular significance:

  • More information duly available to data subjects (Article 14)

As previously mentioned, data subjects will have access to more information (unless they have already been provided with it under the old ‘any further information’ category).

  • Right to be forgotten (Article 17)

This new right entitles data subjects to request the data controller to erase all personal data relating to them and to abstain from further dissemination of that data. This should produce a significant administrative and technological burden on businesses relying on the collection and commercial exploitation of significant amounts of personal data, such as data aggregators.

  • Restriction of measures based on profiling (Article 20)

This provision limits the use of measures based on automated personal profiling of individuals to situations where the measures are expressly authorized by law, carried out in the course of entering or performance of a contract, or when the data subject has given its explicit consent. Advertising networks producing extensive and detailed profiles of individual consumers (based on their online behaviours) may suffer a significant loss of revenues due to this restriction. 

Concluding Remarks

Few statements about the Data Protection Regulation are undeniable: that it is imminently forthcoming, that it harmonises and strengthens the data protection regime across the European Union and that it is likely to be costly for businesses, at least at the beginning, when businesses learn to adapt to the new industry standards. While the EU business community will have to wait at least three more years to see the DPR in force, it would be wise to follow the data protection developments as they unveil because it may happen that some business models based on collecting and storing personal data will no longer be viable in the near future.

For the latest articles straight to your inbox, you can subscribe for free. Alternatively, follow @KeepCalmTalkLaw on Twitter or Like us on Facebook.

Tagged: Commercial Law, European Union, Privacy Law

Comment / Show Comments (0)

You May Also Be Interested In...

GDPR: Challenges for Businesses, Eighteen Months On

3rd Dec 2019 by Kerry Gibbs (Guest Author)

EU Waste Policy: The Commission’s Ambition for Circular Economies

2nd Jun 2015 by R T

Vidal-Hall v Google: Can Big Brother Be Defeated?

30th Mar 2015 by Chris Bridges

Facebook Consumes WhatsApp

16th Oct 2014 by Jade Rigby

Is There Really a ‘Right’ to be Forgotten?

17th May 2014 by Chris Bridges

It's not the end of the line for data retention

10th Apr 2014 by Chris Bridges

Section Pick May

The Caspian Sea Convention: International Law Meets International Relations

Editors' Pick Image

View More

KCTL News

Keep Calm Talk Law: Moving Forward

3rd Sep 2019

Changing of the Guard: Moving Keep Calm Talk Law Forward

12th Aug 2018

An Anniversary or Two: Four Years of Keep Calm Talk Law

11th Nov 2017

Rising from the Ashes: The Return of Keep Calm Talk Law

18th Nov 2016

Two Years On, Keep Calm Talk Law’s Legacy is Expanding

11th Nov 2015

Twitter

Javascript must be enabled for the Twitter plugin to function. Click below to visit us on Twitter.

Free Email Subscription

Subscribe to Keep Calm Talk Law for email updates, and/or weekly roundups. You can tailor your subscription on activation. Both fields are required.

Your occupation / Career stage is used to tailor your subscription and for readership monitoring.

Uncheck this box if you do not want to receive our monthly newsletter.

By clicking the Subscribe button, you agree to our privacy policy and terms of service. Please ensure you read these in full.

Free Subscription