The development of technology has enabled businesses to act globally and be less limited by geographical boundaries. From our sofas we can shop online from almost any country in the world, companies can achieve a market presence in a country without having a single employee there; and in the world of iCloud and Dropbox we can access our files wherever we are, yet have no idea where they are actually stored.
So, as digital “borders” blur, how is the EU Data Protection Legislation evolving and what are the implications for marketers?
Let’s look firstly at the existing legislation. The existing UK 1998 Data Protection Act says that “Personal data shall not be transferred to a country or territory outside the European Economic Area (the 27 Member States of the EU plus Iceland, Lichtenstein and Norway) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
Of course that’s not quite the whole story. You still have to adhere to other principles of the Act, informing individuals that their data is being transferred, and ensuring that you do it with the right security. Also, in the UK our current legislation allows a data controller to transfer data outside the EEA based on their own assessment of adequacy of protection – and this difference highlights another key challenge – that there are differences in national implementation of the 1995 European Data Protection Directive across the EU. Complaints have also been voiced about the complexity of the 1995 Directive regarding data transfer.
Those hoping for some advancement with the new European Draft Data Protection Regulation are, however, likely to be rather disappointed.
While some of the rules on transferring personal information to countries outside the EEA have been made more business-friendly the Draft Regulation arguably also takes a step backwards, and raises many more questions.
One of the proposed key changes is that the laws of the country where the data is held become less important than the question of whose data it is. So, for an EU Citizen, no matter where their data is processed, the law that would apply under the Draft Regulation is EU law. It’s nice to feel protected, but one wonders just how practical it will be to enforce implementation of this globally. How will organisations around the world even be able to identify that they are dealing with EU Citizens? In a digital world, nationality is not always obvious, and even if it were, why should organisations really care about laws in another country?
The differences in interpretation of the 1995 Directive between Member States were one of the key catalysts for the revision of the legislative framework. And, indeed, one of the key provisions of the Draft Regulation is for there to be co-operation between the national data protection authorities in the Member States to ensure consistency in the way the Regulation will be enforced. But in the revision, there has been an element of prescriptiveness which is actually more limiting for UK organisations than the current data protection laws – for instance, the Draft Regulation now removes the ability of an organisation to make their own risk assessment on data transfers to countries outside the EEA. Instead it reinforces the need to adhere to sanctioned processes and the Draft Regulation’s own definition of adequacy.
And this is one of the key areas that the ICO felt was not going in the right direction. The ICO have doubts about the way the Draft Regulation bases “adequacy” on the nature of the law in a particular country. It feels that “adequacy should be assessed more in relation to the specific circumstances of the transfer and less on the adequacy or otherwise of the law of the country the recipient is established in.” So, in other words, if I am transferring data to a reputable global firm in a country whose national data protection legislation is not adequate, why would that really be a problem?
Aside from the general concerns about the practicality of many of the proposed changes, the question of adequacy seems to be the hottest topic to debate. This is one of the aspects of the Draft Regulation that the ICO believes most needs to be amended to deal more realistically with current and future international data-flows. It (and we) believe that a future data protection framework should focus much more on risk assessment by the exporting data controller and that it should be clearer about data controllers’ responsibility, wherever they choose to process personal data.