At last week’s Information Commissioners Data Protection Officers Conference in Manchester I had the privilege of being updated on the progress, or lack of progress, of the revised European Data Protection Act.
With the existing directive dating back over 17 years an upgrade is well over due but there is significant pressure from businesses to water down any revisions to the directive.
A watered down directive does not serve anyone, the privacy campaigners or those with commerce in mind, because breaches are happening far too often and breaches affect consumer confidence.
This means the larger retailers should be supporting stronger Data Protection controls so the smaller, less funded or less skilled businesses have the detailed controls and the incentives to put privacy and security first.
In the main hall and in the breakout room there was constant reference to the thinking about the issues before systems and processes are put in place. The two terms used were:-
- Privacy by Design
- Security by Design
Both Privacy by Design and Security by Design are essential for consumer confidence because they are demonstrable actions organisations can refer to when dealing with the users of their data.
Françoise Le Bail of the EU Commission stated that “23% of users feel they do not have complete control of their data when shopping online”. In other words almost a quarter of those who buy on line are suspicious of the people who want to take money from them. If those statistics were applied to bricks and mortar retailers the high street would look a lot worse than it does now and it already looks pretty bad.
Françoise Le Bail also stated that the EC’s priorities for the Act are: –
- The architecture of the framework
- Key provisions to include all personal data and consent
- A more risk based approach – proportionality
- Data Protection Offices are needed
- A consistent European wide level of governance
- Support for authorities by providing training and not just fines
David Smith the UK Deputy Information Commissioner stated the UK was not 100% in favour of the current draft proposals but the UK was largely supportive.
David Smith had a list of items that were favoured including:-
- Improved consistency across Europe
- Enhanced Individual rights
- Code of conduct and certification
However, the UK is looking for additional items to be added and a clarification on others, for example:-
- The UK wants a more “risk” based approach to personal data
- Individual compensation should not be restricted to monetary loss. It should also take into account aggravation and heartache.
- Data Protection training needs to be added to the school curriculum
- There are two proposals in place by the EU and the UK doesn’t want any more than that. The two proposals are Law Enforcement and everyone else.
Other items of note
- The date for the Act to be passed is likely to be June 2014 with enforcement two years later in 2016
- The 24 hour mandatory breach notification is likely to slip to 72 hours
- The maximum 2% of global turnover is likely to be approved but some members of the commission are pushing for it to be 10%
- Right to be forgotten is a big problem due to the nature of what can be forgotten and what should never be forgotten
- Data Portability is both a target for Europe and a problem and negotiations are on-going with the US and other nations on cross border data sharing.
- MiData now has 26 signed up companies and the drive for more is growing
Other blog posts on the subject are below:-
- EU Commission proposes a comprehensive reform of the Data Protection rules
- Proposed European wide Data Protection Act – a review