EU data protection: regulation awakens
Negotiations have ended in Europe around the new data protection laws to replace the Data Protection Act 1988. New European Union (EU) legislation, informally agreed on 15 December 2015, will create a uniform set of rules across the EU fit for the digital era.
The European Data Protection Regulation (EDPR) will replace the EU's current data protection laws, which date from when the internet was still in its infancy. The new rules will give citizens more control over their own personal data in a digitised world. At the same time, they aim to ensure clarity and legal certainty for businesses, thereby boosting innovation and furthering the development of the digital single market. Going forward, failure by a business to comply with the EDPR will mean severe financial consequences.
The European Parliament (EP) and Council will adopt the informal agreement on the EDPR in spring 2016. Member States will then have up to two years to apply its provisions.
A new age
In January 2012, the European Commission (EC) proposed data protection reforms. Even since that time, we have seen a transformation in the threat faced by companies from cyber hackers and associated data breaches. Likewise, the associated regulatory consequences and the impact in respect of reputational and financial damage have been stark. The recent and high profile cyber-attack on TalkTalk is illustrative, which led to the theft of customer information that was then posted for sale on the 'dark web'. At the time of the attack, there was the suggestion that TalkTalk could be fined by the Information Commissioner’s Office (ICO) up to the maximum available fine of £500,000. Such a fine will seem small once the EDPR comes into force by 2018.
The right to decide
The EDPR is being hailed as a new ‘fundamental right’ for citizens. Citizens will have easier access to and control of the personal data held by companies, including around the processing of consent. They will have a defined ‘right to be forgotten’, and, through the tightening of the rules on businesses, a right to know when their data has been lost or stolen.
However, what does this mean for businesses?
At the outset of the reform process, the EC was of the view that fines of up to 2% of a firm's total global annual turnover should constitute a real deterrent. Following pressure from the EP that percentage has doubled to up to 4%.
Businesses will also face joint liability with their data management partners. This is a key tenet of the reforms. At present, only the ‘data controller’ is liable for a data breach. The EDPR extends liability to include providers of outsourced operations ('data processors'). This may provide some comfort for businesses where the management of customer data is provided externally, as they will no longer be solely responsible if a data breach occurs. However, such a requirement also has the potential to increase significantly operational costs. Given the deterrent nature of the fines that could be imposed, businesses are likely to want to manage their outsourced operations very closely.
‘One stop shop’ for complaints and enforcement
National Data Protection Authorities (DPAs) will be enhanced to become a first instance body where citizens can complain about data breaches. In the UK, the ICO will take on the role of the lead DPA and be responsible for co-operating with other DPAs to ensure consistency of approach in reaching a decision. A new European Data Protection Board will step in where issues arise as to the level of penalties imposed between DPAs.
Avoiding red tape
Firms will have to appoint a data protection officer if they are handling significant amounts of sensitive data or monitoring the behaviour of many consumers. Small and medium sized enterprises (SMEs) will be exempt from the obligation to avoid the red tape placed on larger organisations - unless, of course, data protection is their main activity.
A further positive step for SMEs will be the scrapping of notifications to supervisory authorities, estimated to cost business EUR 130 million per year. This represents a significant change to the current regime. Large businesses will still have to notify breaches to a single supervisory authority.
Security versus privacy
While the EU is focussing on enhancing citizen’s privacy, some national governments are enhancing their access to citizen’s data – citing national security concerns.
In an early ‘right to be forgotten’ case in 2014, Google were given formal notice from the French data protection regulator to de-list links not just across Europe, but globally. In response, Google has suggested that the right to be forgotten only applies in Europe and not internationally, arguing that as a matter of principle no country should be able to control content accessed elsewhere.
The UK government has proposed the Investigatory Powers Bill 2015, which if enacted will require internet and telephone companies to store the records of websites accessed by citizens for 12 months to enable access by law enforcement agencies and the security services.
The Investigatory Powers Bill highlights a tension for businesses between privacy and security. On both fronts, businesses are coming under increased pressure to comply with both agendas. Consider the effect on a company such as WhatsApp. In the UK alone, one billion private, encrypted WhatsApp messages are sent every day. If the Investigatory Powers Bill becomes law, will a company such as WhatsApp have to cooperate with government demands for access to data, whilst attempting to enshrine and uphold the EDPR? Where does the balance lie between security and privacy lie?
The EDPR means companies must ensure they have appropriate security procedures in place to prevent loss of data by the time the legislation comes into force in early 2018.
The risks faced by insureds have changed and with them, as has insurers’ exposure.
Initially there was some scepticism in respect of the benefits of cyber insurance. The EDPR, coupled with the large-scale hacks of recent years, has increased cyber-security attention. No doubt should remain as to the need for businesses to have comprehensive cyber cover in place.
The existing market may wish to review the level of premium in light of the dramatic increase in penalties. Consider the impact of the imposition of an EDPR fine on a company such as TalkTalk. Rather than facing the current maximum fine of £500,000, if the data breach had taken place under the EDPR, it could risk a fine of up to £36.5 million. That amount would be in addition to the substantial costs already incurred (estimated at £30 to £35 million in November 2015).
This article was written for Insurance Day, with abstracts published on 13 January 2016.