European data regulators revisit how to keep data safe without hindering business amid the realities of a modern globalized world.
The data protection legal framework adopted by the European Union (EU), which puts constraints on what companies can do with personal information collected from consumers (see related piece in “Technofile,” page 48), has long been viewed by businesses as onerous to comply with, especially those accustomed to the less restrictive U.S. laws on handling most personal data. Now it appears that the call for updating the law is gaining advocates. Among those championing a change is Richard Thomas, the United Kingdom’s former Information Commissioner, who spoke out on the issue before leaving office in June.
Those comments echoed the results of a RAND Europe study, commissioned by the Information Commissioner’s office, which concluded that the EU’s 14-year-old Data Protection Directive will not suffice in the long term as society becomes more globally networked.
“The directive is showing its age,” Thomas said in a statement accompanying the release of the RAND study. “Modern approaches to regulation mean that laws must concentrate on the real risks that people face in the modern world, must avoid unnecessary burdens, and must work well in practice,” he said.
Thomas noted that advances in technology, the growing global marketplace, and the need for personal information to cross international borders mean the law must evolve.
Among the problems with the law is that it unnecessarily inhibits the free flow of personal data both within the EU and abroad, according to the RAND study. For example, the directive places restrictions on data transfers to most countries outside the EU. It allows such transfers only if the country outside the EU is deemed to have an “adequate level of protection” or if other criteria are met, such as if the consent of the data subject is obtained.
In practice, only the countries that follow the directive are considered to have an adequate protection regime, despite the fact that regulation in some nonmember countries is stronger than in the EU, the report notes.
The directive also does not account for the way modern information often flows. “The presumption in the directive really is that data moves along a line from A and into B and then on to C,” says Bridget Treacy, partner at the international law firm Hunton &Williams. “And, of course, that’s not the way the world operates.” In cloud computing, she notes, the data is in one place, and it’s accessed by multiple parties, often simultaneously.
Cloud computing architectures run counter to the directive’s requirements because companies need to know where the data is, document the data flow, and understand how it flows across and between jurisdictions, she says, and that is difficult to do in a cloud context.
“The fix for that is that often companies will use architectures that have a European base or server for the European data,” says Treacy. Then they’ll be forced to use another server or data center located outside of the EU for all of the non-EU business. “So [they] can’t fully take advantage of these technologies,” she says.
The implementation of the directive has also been criticized. For example, privacy policies developed by businesses operating in the EU should provide transparency of data processing through better information, but they are inconsistent and ineffective, according to the study.
Moreover, while these privacy policies are, in theory, aimed at consumers, they are often written by and for lawyers. The result is that policies are full of complex legal terminology, and consumers either don’t read them or have trouble interpreting them. “Their use is predominantly targeted to meet any applicable legal transparency requirement, rather than serving a real transparency benefit towards the consumer,” the report says.
Treacy adds that some measures have been implemented differently across jurisdictions, resulting in a lack of uniformity. For example, one mechanism requires organizations that are responsible for personal data to register with or notify the local data protection authority. In the United Kingdom, the process is quick and straightforward. “You just go online, fill in the form, pay your £35 annually, and you’re pretty much done,” Treacy says. In Poland, by contrast, the requirements are much more detailed, and the process takes much longer.
The disparities across jurisdictions cause difficulties for companies that want to do business on a pan-European basis.
While there is frustration about the current directive, Treacy says, there’s concern that reopening it may open a Pandora’s Box, because of the complexity of the issues and the various stakeholders involved.
Pandora’s Box or not, the process has begun. The European Commission hosted a conference in Brussels, Belgium, in May to explore the current status of the directive and where it is headed. The commission has invited interested parties to submit papers on aspects of the directive that would benefit from review.
Any change is likely years away, however. Treacy estimates at least five years. Meanwhile, companies must comply with the current framework.