This week the EU proposed a major overhaul of its data protection. As the largest trading bloc in the world, what the EU thinks about data matters. Here’s a summary that my firm, Osborne Clarke, prepared:
All organisations hold and process personally identifiable data – not least about their staff, customers or suppliers, or all three. In Europe how this data is handled has been regulated by data protection laws since the early 1980s. Those already complex laws are set to be shaken up by the European Commission (EC) which on 25 January 2012 announced a radical overhaul of the Data Protection Directive.If adopted the changes will have a huge impact on all organisations with European facing operations, as will the suggested penalties for those who get it wrong. Large fines (up to 2% of global turnover have been proposed) are being lined up for local regulators to impose on non-compliant organisations.
In short, the new laws will:
- increase the regulatory burden on organisations with European operations
- increase the amount of time, money and personnel required to achieve compliance
- raise the stakes, in terms of potential fines and brand damage, which could arise from non-compliance
Once the EC’s proposals have passed through the European parliamentary system, because they are in the form of a “Regulation” they will have direct effect in every EU Member State with minimal further scope for debate, or rationalisation. While a more harmonised data protection regulatory landscape sounds appealing, the uncompromising approach taken by the EC’s draft Regulation is a cause for concern for business.Key points proposed by the EC’s draft Regulation include the following:
(a) Fines– national data protection regulators will be given the ability to impose significantly higher fines of up to 2% of global turnover where basic knowledge/consent obligations or requirements to adopt good policies and procedures are not followed.
(b) Data Protection Officers (DPO) – private sector companies with more than 250 employees, or whose core activities involve regular monitoring of individuals, as well as public authorities will all be required to formally appoint a DPO. The DPO must be empowered by their organisation to act as an independent assessor of its compliance with data protection laws and report to the board of directors in doing so. The Regulation specifically requires the DPO to co-ordinate data protection by design and privacy impact assessment initiatives (see below for more details on both) and to be responsible for data security initiatives generally. Responsibility for training staff is also mentioned as important. In short, the DPO must ensure that his/her organisation has adopted good data governance policies and procedures.
(c) Audits, data protection by design and privacy impact assessments– organisations will be required to demonstrate that they have undertaken regular data protection audits and privacy impact assessments (PIAs) using recognised industry standards (such as ICO’s PIA criteria). Key will be demonstrating that new processing systems and activities have been only introduced after privacy compliance and risk mitigation steps have been implemented. A key role of an organisation’s DPO will likely be co-ordinating such privacy by design initiatives. Regulators can designate processing activities in respect of which organisations should always proactively run a PIA before processing commences. The Regulation sets out a starting point list which includes any activities using data about an individual’s “economic situation, location, health, personal preferences or reliability of behaviour”.
(d)
Security breach notification – organisations will have to notify data protection authorities within 24 hours of establishing that they have suffered a data breach or explain why it is not possible to provide full details of the breach. Slick internal procedures will therefore be required to verify suspected breaches and establish what has been lost or subject to unauthorised accessed.(e)
Expanded consent requirements – the EC’s proposals include a radical overhaul of the level of consent that is required before organisations process data. At the heart of this change is the requirement that consent to use personally identifiable information should always be obtained in advance and on an opt-in basis before it is used. Thankfully the EC has pulled back from requiring parental consent to be obtained from under 18 year olds, as required by an earlier draft of the Regulation leaked in November. The bar is proposed at 13 in the draft Regulation published in January.
(f) Data portability – individuals will be given the right to demand that an organisation should transfer any or all information held about them to a third party organisation in a format which the individual determines. This increases the control that individuals have over data which identifies them and makes it easier for them to transfer business or employment relationships. It remains to be seen who will be required to cover associated costs of such an exercise, but it seems very likely that the transferring organisation will be expected to do so.
(g) Jurisdictional reach – the new laws will apply to anyone processing data in the EU as well as those outside Europe who offer goods or services to EU citizens. For a multi-national organisation, the location of its European HQ will determine which EU Member States’ laws bind it, and which regulatory authority will have jurisdiction over it. That said, individuals will be given wider ranging powers to bring action personally against an organisation (either in the country where a non-compliant organisation is located or in the individual’s local courts). Trade associations will also be empowered to bring class actions on behalf of their members. For the first time data processors will share equal responsibility and liability for compliance with the new laws raising the stakes for IT service suppliers.
(h) Data transfers – Europe’s painful data transfer laws will be relaxed in that more options will be made available to enable organisations to share data with non-European third parties. Specifically, the policy implementation known as Binding Corporate Rules will be formalised as a mechanism enabling data transfer compliance, which is good news for multi-site, multi–national businesses.
(i) The right to be forgotten – individuals (children, defined as under-18 year olds, are mentioned in particular) will have the ability to demand that information published about them online is deleted and is not republished. Organisations which receive such a demand must take all reasonable efforts to inform other website operators of the existence of the complaint which they have received. The right, which is particularly relevant to social media businesses, is subject to some exemptions. These including one benefiting journalists publishing stories in the public interest, raising the question is a blogger or someone who posts an opinion on a website a journalist? But questions remain about how practical the regulation is and who would bear the costs of complying with it.
For more information about the proposed amendments to Europe’s data protection laws or for a copy of Osborne Clarke’s guide to complying with them please contact James Mullock (james.mullock@osborneclarke.com) [Jas: you can read more about what James thinks about the new proposals here, here and here]
What does this mean for the games industry?
If/when these proposals become EU law, in theory they will apply legally to the games industry in the same way they apply to any other industry. In practice though I suspect these laws could be a particular headache for games businesses because:
(1) the modern games industry is built on data collection and use more than any other creative industry;
(2) the games industry hasn’t historically worried too much about data protection (except maybe when something like the Sony PSN or similar hacks happen); and
(3) these reforms will in principle affect every business in the games industry, from indies through to the largest publisher. Yes, they’ll hit the publishers hardest because they’re the most substantial in size, but it’s not publishers alone who would have to comply with these laws.
Example: most publishers would be obliged to appoint a Data Protection Officer since they have a headcount of >250. Indies don’t and therefore wouldn’t have the same obligation. BUT, both publishers and indies would have the same obligation to, for example, notify regulators of data breaches within 24 hours or give users the ‘right to be forgotten’.
As a result, many commentators have already pointed out that these reforms have the potential to add a big layer of red tape to small businesses of all kinds in the EU. Whether that remains the case once this becomes law we’ll have to wait and see – but any way you cut it, you need to know what’s coming up for the future of data protection if you’re involved in exploiting data.In the meantime, if you want to understand how data protection law works at the moment and therefore what your legal obligations are right now, read this
guide to data protection I wrote on gamesindustry.biz.
The question that springs to mind for me is how EU legislation will be applied to US ( or other major non-EU country ) organisations. If Sony for example suffered another incident that stemmed from a failure to properly apply the new reaquirements, how would the sdanctions be applied? Would they fine SCEE, Sony Corporation or some other part of the company?
If it was a US company such as Google or Facebook, would the US even allow the fines to be imposed (given the potential size of the fines and the consequernt loss of tax revenue to the national treasury?)
All good points – it's not clear exactly which part of a global entity would be subject to these fines. SCEE is a good bet, though.
As to whether the US would allow these fines, if it opposed them I imagine it could cause some pretty nasty words between it and the EU, possibly even legal action. OFc it's worth bearing in mind the EU has levied heavier fines already in antitrust cases.