Unlocking the power of data under the new EU General Data Protection Regulation

Abstract

Progress is being made on the proposed European General Data Protection Regulation, which is now expected to come into force in 2017/18. This article considers the issues that remain to be resolved and offers ten top tips for marketers to prepare for the new legal framework.

Introduction

There are few pieces of regulation that have the type of impact the EU General Data Protection Regulation (GDPR) will have on the practice of marketing across the European Union (EU). The GDPR covers the transfer, use and security of data and seeks to balance the needs of the growing digital economy with the rights to privacy and data protection of all EU citizens. In essence, every private and public organization operating within the Eurozone holding 5,000 records or more will have to assess and change their approach to the data they handle or face sanctions that could be as much as five per cent of global turnover or €100m.

The basis for the GDPR is that existing national laws within the EU, such as the Data Protection Act 1998 in the UK have failed to keep pace with the rapid changes in technology and where marketers now have the ability to track and extract data about customers, clients and supporters without their explicit consent. As exciting as this prospect may appear to a brand or company that’s looking to improve the effectiveness of its sales and marketing in order to drive incremental sales, at the same time European consumer groups and regulators, such as the UK’s Information Commissioner’s Office (ICO), are united in their view that such powers need to comply with a higher level of transparency and accountability than provided under the current patchwork of laws across the EU.

For some marketers, the GDPR could appear to be a high burden in terms of compliance, as well as a major business continuity issue since the GDPR impacts on existing direct marketing activities across all 28 Member States. Ultimately, effective sales and marketing depends on achieving permission and this can only be achieved by building trust, rather than through exploitation. What’s also eye-catching about the GDPR is that it applies to all organizations across the world, such as outsourcing providers in India that hold millions of records on EU citizens, so processors and controllers of data are for the first time to be treated on an equal basis.

Progress towards an EU-wide approach

At a 4–5 December 2014 meeting of the Justice and Home Affairs Council, part of the EU Council of Ministers, the forthcoming EU GDPR took a further step to becoming adopted across all 28 EU Member States. The meeting, attended by Chris Grayling, Lord Chancellor and Teresa May, Home Secretary, and chaired by Andrea Orlando, Italian Minister of Justice and President of the Council, marks a tipping point in the harmonization of data protection laws.

At that meeting, the EU Council of Ministers gained partial consensus on two important and inter-related points with respect to data security and protection that sits at the heart of the proposed EU Regulation: a general EU framework for data protection and a ‘one-stop shop’ (OSS) mechanism that can be used by data subjects in order to arrive at a supervisory decision in trans-national data protection breaches.

This partial agreement on the general approach includes provisions that are crucial to the public sector (Article 1, Article 6, Paragraphs (2) and (3), Article 21), as well as provisions relating to specific data processing situations as outlined in Chapter IX of the proposed EU Regulation. The technical architecture for dealing with data breaches and other issues under the EU Regulation will be fast-tracked in the coming months in order to get the technical aspects of this sorted out.

‘One-stop shop’

The objective of the OSS is to arrive at a single supervisory decision in instances of trans-national data breaches, and this should be fast, ensure consistent application, provide legal certainty and reduce administrative burden. Many advocates of such an approach claim that this is a good example of balancing the need for a uniform approach for data controllers while providing remedies for data subjects. ‘This is an important factor in enhancing the cost-efficiency of the data protection rules for international business and thus contributing to the growth of the digital economy’, adds the communiqué from the EU Council of Ministers.

From a UK perspective, the ICO is likely to be closely involved as the decision-making supervisory authority as to whether enforcement action is brought against organizations and companies that are located in the United Kingdom, but that have created a data protection breach across trans-national borders.

A step closer to being finalized

The proposed EU Regulation has taken a step closer to being finalized in 2015, although many commentators now think Spring 2016 is a more likely date for agreement. Partially clearing these two hurdles that were once regarded as ‘insurmountable’ is a clear indication of the appetite for getting on with the job of getting the EU Regulation out there once and for all. Clearly, the EU Council of Ministers needs to finalize its version of the draft EU Regulation before negotiations can enter their final stage. But this latest partial agreement is another example of incremental progress that’s been made in the last 12 months.

Many in Europe, including those in Germany, France and Italy, see this forthcoming EU Regulation in the wider context of protecting fundamental human rights. On 5 November 2014, the German Federal Commissioner for Data Protection, Andrea Vosshoff, and the European Data Protection Supervisor (EDPS), Peter Histinx, held a panel discussion in respect of the state of play and perspectives of the forthcoming EU Regulation. One of the panellists, head of the Department for International Affairs at Italy’s Ministry of Justice, Stefano Mura, reiterated that the proposed EU Regulation is not only a EU single-market issue. ‘We need the highest affordable standard of fundamental rights’, said Mura with reference to Article 8 of the EU Charter of Fundamental Rights, which provides that everyone in the EU has the right to the protection of personal data.

This was particularly reflected in the controversial judgement of the European Court of Justice in the right to be forgotten case (https://privacyassociation.org/news/a/court-ruling-makes-right-to-be-forgotten-a-reality/) that specifically referenced this right in concluding that an individual could have a search engine listing removed where the material it linked to was no longer relevant. This theme was developed further by Isabelle Falque-Pierrotin, President of CNIL, the French Data Protection Authority, and also chair of the Article 29 Working Party.

Falque-Pierrotin noted that the right to be forgotten judgement had shown that some of the ideas in the forthcoming EU Regulation were already being developed through the courts, and this highlighted the urgency to get the EU Regulation agreed and to demonstrate to the world that Europe had a common standard in place and the regulatory powers to back it up. Although the participants in the debate identified a number of key outstanding issues to be resolved before the conclusion of the reform process, there was some optimism that such issues would be overcome and the process completed before the end of 2015.

Why this matters

This is significant as the organizer of the debate, the EDPS, is an independent supervisory authority whose members are elected by the European Parliament and the European Council in order to protect personal information and privacy, in addition to promoting and supervising data protection in the EU’s institutions and bodies. The role of the EDPS includes, among other things, advising on privacy legislation and policies to the European Commission, the European Parliament and the European Council and working with other data protection authorities to promote consistent data protection across Europe.

2015 — The most important year for European marketers?

The forthcoming EU Regulation has been discussed and debated in extraordinary detail by the European bureaucrats and it’s clear that public patience is wearing thin as existing data protection laws, such as the Data Protection Act 1998, look increasingly out-of-date as they are no longer ‘fit for purpose’. It’s clear that European laws have struggled to keep pace with technology changes that have impacted two fundamental rights — privacy and identity.

In the wake of the Snowden revelations, there’s increased public expectation of a uniform approach to European data protection, with calls for more sophisticated compliance tools and even stronger sanctions for those organizations and companies that transgress the new rules. However, it would be wrong for the EU Regulation to be rushed through in its final stages as consensus is required in its scope and approach in order to be effective and workable. But that time has almost arrived.

illustration

Next steps

The Council of Ministers is still reviewing the draft EU Regulation at a technical level, and negotiations on the proposed text between the Council of Ministers and the European Parliament will only commence once the Council of Ministers is ready. The earliest there could be agreement on the draft EU Regulation is likely to be at the end of 2015/early 2016 — and the expectation is that the revised data protection framework will be in place by mid-2017.

Marketers should start now, as well as following best practice guidance given by the ICO ahead of the EU Regulation as much of the Regulation will be a codification of this guidance. Not doing anything now is a recipe for disaster and simply creates a business continuity risk that can so easily be avoided.