The EU Data Protection Regulation

This post was originally published on the ICS Data Protection Blog. It is republished here as it is my original work and I am putting my Data Protection musings in one place.

Earlier this month we saw the leaking of a late draft of the forthcoming EU Data Protection Regulation.  Yes. That’s right. Regulation. In other words direct effect, standardised legal framework across Europe, less wriggle room at local level, and no waffling and stalling by national parliaments as they butcher a Directive into national law.

The full final text is expected in January, with a 2 year implementation window being mooted.

Among the criticisms I’ve seen levelled at the Regulation is that it is “longer than the Directive it will replace”. Yes. It is. But that’s because it has had to do more than just replace the existing Directive it has had to:

  • Update the Directive with new concepts such as the “Right to be Forgotten” and increased duties of transparency
  • Introduce new penalty structures (which were previously the preserve of the national enabling legislation that transposed the Directive) such as the 5% of Global turnover penalty for breaches of the legislation.
  • Define new governance structures for Data Protection in Europe at the EU level and between countries.
  • Imposes sanctions on Data Processors who act beyond the terms of their processor agreement (currently the only sanction is for the Controller to sue in Contract law, assuming a contract exists).
  • Adapt the existing regulations and governance models to things like Social Networking, Cloud computing and mobile devices.
  • Figure out how to deal with extra-EU entities selling into the Internal Market (easy.. they will have to comply with our rules now).

Buried among the new changes was one aspect that jumped out at me was the introduction of lower value “administrative” financial penalties for smaller incidents of breaches of the legislation. I for one hope that that proposal makes it into the final draft of the Regulation as it would provide a tiered approach to penalties and put something tangible between the “softly softly encourage compliance” and “hit Controller with full prosecution”

Another reason why I’d be interested to see this make into the final Regulation can be found in this post here (in which I argue in favour of just this form of small scale fines based system)

(Yes folks, you read it on this blog first).