The New Data Protection Regulations 2012
The new data protection regulations 2012 were published at the end of January 2012. The new law is expected to be in place by 2014. The new law will potentially change the existing law in the following ways.
1. At the moment there is a directive which each member state has implemented and interpreted in its own way in their individual member states (i.e. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; implemented into the UK as the Data Protection Act 1998.) Every country in Europe has a data protection law, as they have each interpreted the directive in their own way.
In the UK, the interpretation of the directive, is generally regarded to be more business friendly, whereas in countries like Holland, Germany & Italy there is generally a more consumer friendly standard with respect to the processing and use of data. As the new regulation has direct effect it will harmonise the data protection law across the European Union – a one stop shop.
2. At the moment only the data controller is responsible for the protective measures under the law. Article 17, of the new regulations, extend responsibility to both the data controller and data processor.
3. Article 30, of the new regulations, may specify technical and organisational measures to protect data in a specific sector.
4. There will be opt-in consent for cookies.
5. Compulsory notification for breach.
6. Increased compliance requirements.
7. Introduces a new right to be forgotten, subject to certain exceptions.
8. There is no sign of easing restrictions on data transfers.
9. There is a fine of up to 2% of global annual turnover for a breach of any of the regulations. So, for example, a company could be fined 2% of its global turnover for not having a data protection officer or for having implied consent, instead of express consent for cookies.
Big Data and the Cloud
Regarding big data and cloud solutions the landscape is becoming more challenging and not just because of the new regulations.
More than 80 countries have data protection laws in place including Angola & Gabon. Although the 27 member states in Europe will harmonise data protection laws with the regulations, there are 49 European countries, so there will still be 22 countries in Europe with different data protection laws. Getting data protection laws right requires advice on compliance from lawyers from all the different jurisdictions.
The following issues appear to be systemic in cloud provision services.
1. Large cloud service providers are dictating the terms and conditions.
2. A cloud service provider may have its servers anywhere around the world.
3. Many cloud service providers use a number of sub-contractors.
4. How does a data controller ensure information governance?
5. Many of the large cloud service providers are US companies and are subject to the USA Patriot Act 2001. Requests by the US Government for data under the Patriot Act 2001, has increased by 30% every year.
Companies require legal advice from lawyers qualified in multiple jurisdictions. There needs to be a standard cloud clause in your contracts or several clauses that will address the data protection and privacy laws in multiple jurisdictions.