Proposed data protection reforms have been the subject of much discussion, debate and lobbying since the draft regulation was first issued in January 2012.
Much concern has been expressed about many of the proposed provisions, in particular the right to be forgotten, compulsory breach notification, the requirement for explicit consent, and increased fines that could be issued under the new regime.
With the passage of time, however, and as a result of that discussion, debate and lobbying, the Irish Presidency drafted a compromise text in anticipation of the negotiations between the European Parliament and the Council of the European Union. This text, if accepted, would introduce some significant changes.
Here we look at whether or not there has been a softening of approach. If so, is that likely to make life a little easier for organisations that process personal data and are caught by the Regulation?
There is no doubt that, in certain respects, efforts are being made to make the Regulation more user-friendly.
Let us take breach notification as an example. The original draft Regulation provided that it was compulsory to notify the supervisory authority of every breach promptly and, where feasible, within 24 hours.
This was the subject of much debate for a number of reasons, particularly because:
- the timescale was regarded as being unreasonable and appeared to shift emphasis away from the need to contain and remedy the breach and mitigate the risk to individuals, towards giving priority to the administrative task of notifying the regulator
- the obligation would apply to every single breach regardless of how minor it was and/or the level of risk (if any) it presented to individuals
- such a wide obligation to notify the regulator was likely to strain resources and lead to notification fatigue
With this in mind, it is pleasing to note that the compromise text seeks to amend this obligation, so that organisations would only be required to notify the regulator of a breach where the breach is 'likely to severely affect the rights and freedoms of data subjects' and, where feasible, within 72 hours.
This demonstrates a clear intention to make the obligation less cumbersome and more manageable. However, whilst it does attempt to introduce some threshold in relation to when the obligation to notify arises, organisations would still need clear guidance from regulators in order to be able to understand when the obligation arises.
This shift of emphasis will, of course, provide organisations with some comfort. Without further guidance, though, it is likely organisations would still be faced with a difficult decision as to whether or not they are required to notify each breach to the regulator.
Another issue that has been the subject of change in the compromise text is consent.
Under the current regime, explicit consent is only necessary where sensitive personal data is being processed. Where an organisation wishes to process 'ordinary' personal data, they are required to obtain consent which is 'fully informed and freely given' to process that personal data.
The introduction of a definition of consent into the Regulation has caused quite a stir, not least because it stated that for any consent to be valid it must be 'explicit'. This change would have had significant implications for organisations that collect and process personal data, and would have resulted in them having to change many of their forms, documents and processes in order to obtain explicit consent in every instance.
However, as part of discussions, reference to the word 'explicit' has been removed from the definition of consent and consent must now be 'unambiguous' and 'a freely-given, specific and informed indication of his or her wishes'. Again, this suggests a softening of approach, as consent need not be explicit in every instance.
This offers little certainty, though, and is likely to mean that organisations will still need to review the policies, procedures and documents used to collect personal data in order to take a view on whether or not the consent obtained satisfies these requirements. As before, it is likely that clear guidance will be needed to help organisations determine exactly what this definition means.
Right to be forgotten
The 'right to be forgotten' has also been changed.
This right enables individuals to request the erasure of their personal data in certain circumstances and requires organisations to take reasonable steps to ensure that third parties, to whom this information has been transferred, also comply with the obligation.
At the outset, organisations were at a loss to understand: how they could comply with this in practice; how it could be monitored and enforced; and how far they would need to go to ensure they have complied with their obligations. While some amendments are being proposed in order to make this right more practical, many of these questions remain unanswered.
Focused and pragmatic
On reading the Regulation - and the surrounding debates and proposals - it is clear that many other aspects are still regarded as being problematic, including the conditions for processing (which some consider are unnecessarily narrow); subject access requests; and, of course, the threat of significantly increased levels of fines.
So at this interim stage, it does appear that efforts are being made to make the Regulation more business- focused and pragmatic. We do not know whether or not the proposed compromise text will be implemented in full, or at all.
Even if it is, many aspects of the Regulation and the compromise text remain unclear, and detailed guidance would be necessary to help organisations determine exactly what their obligations are.
If you would like to discuss the proposed regulation and what your organisation should be doing in order to ensure that you are ready for reform when it arrives, please contact Aisling Duffy on 03700865089 or [email protected]