The legal newswires have lit up in the last two weeks since the European Commission issued new draft data protection regulations – data protection is big news these days!
The media reception to these regulations has been, I think, surprisingly neutral. The UK ICO (being diplomatic) has said that there are good things in the regulations but “the proposal is unnecessarily and unhelpfully over-prescriptive” and “it poses challenges….and risks an unhelpful 'tick box' approach”. Where have we heard that before?
I will be less diplomatic – I think many parts of the new regulations will cause a major headache for businesses and not least for companies looking to outsource and outsourcing suppliers for the following reasons:
- The new regulations are long and complex - 118 pages, 139 recitals. Like other things in life, you cannot judge a statute by its length, but that is a lot of law to understand. Data protection compliance officers and lawyers are very happy!
- The current laws restricting personal data export are pre-Internet, impractical and cause no end of “box ticking” when negotiating outsourcing contracts. The ICO to its credit has always taken a sensibly pragmatic approach to this area and was hoping these laws would be relaxed. Sadly it looks like we are heading instead towards more regulation of data export. Businesses will have to show they meet a condition for lawful data export – they will no longer be able to decide based on the type of data and other factors that the export meets a protection adequacy test.
- Outsourcing providers acting as data processors will be exposed to the full weight of compliance. Under current law as data processors, outsourcer providers are not directly obliged to comply with the law (they only have contractual obligations). The new regulations will require data processors to be directly compliant in several respects – for example, they will have to “maintain documentation of all processing operations under its responsibility” including “descriptions of categories of data subjects and of the categories of personal data relating to them”. They will also have to comply directly with the data export laws. Better cost that into the next deal!
- Business outside the EU need also to look out – don’t think that being based in the Philippines will save you. The regulations also apply to data controllers based outside the EU if they are offering goods or services to data subjects in the EU or “monitoring their behaviour”. That may affect a few offshore service providers.
- If you get it wrong the fines will be much higher – up to two per cent of annual turnover. You cannot afford to ignore this.
Data protection is important and it is a legitimate expectation of all EU citizens. Sadly, instead of creating a new set of regulations which take a proportionate, risk-based approach, the EU Commission is keeping the old and layering lots of new (and some frankly unworkable) requirements on businesses. This will add cost to outsourcing.
I hope the ICO fights a rearguard action on our behalf. I fear they may be a lonely voice in the debate.