An ambitious new framework for a data reliant world

Posted on January 25th, 2012 by



The most radical global attempt ever to regulate the exploitation of personal information is now in the public domain.  Following several weeks of increasing expectation about the content of the proposals, the European Commission published this morning two legislative documents: a Regulation setting out a general EU framework for data protection and a Directive on protecting on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities. 

Looking at the Regulation, the immediate reaction is that after many years of a principles-based approach, the new law will go much further than that and establish a new system of powerful rights and very prescriptive and uniform obligations across the EU.

The draft Regulation sets out very clearly its extra-territorial reach, which as Viviane Reding put it, will apply to companies that are active in the EU market and offer their services to EU citizens – although it is really ‘EU residents’.  What is also obvious is that the new law is targeted at companies operating on the internet and aims to shake up the way they tackle privacy issues.

The bulk of the proposed Regulation brings with it a whole new set of practical obligations for organisations – from data protection by default and the appointment of representatives by non-EU companies to the production of compliance policies and privacy impact assessments, and the compulsory designation of data protection officers.  Plus of course, nearly immediate data breach notification.  These obligations are a trade off for the overall reduction in regulator-facing administrative requirements, but also the basis for a new way of demanding practical compliance in the black letter of the law.

The prospect of substantial monetary fines based on the annual worldwide turnover of a company (up to 2%) may contribute to get the attention of some decision makers, but the real test for the proposed framework will be its viability in an ever-changing data reliant world.

This is by no means the end of the road.  My expectation is that 2012 will be a crucial year to influence the outcome of the new law and policy makers will be looking for input from all key stakeholders.