Data Protection Directive

The Data Protection Directive (Directive 95/46/EC) is a piece of EU law laying out individuals' rights with regards to data held on them by organisations, and regulating the data processing that may be permitted for those organisations. It has legal weight across the entire European Union and provides the basis for data protection legislation throughout Europe, including the United Kingdom's Data Protection Act.

The Directive is currently undergoing scrutiny in various committees, and is currently awaiting its first reading in the European Parliament. [1]

Committees and procedure

The Committee on Civil Liberties, Justice and Home Affairs (LIBE) is the committee responsible for the EU Data Protection Directive, with Jan Albrecht managing the issue. Along with LIBE, the Committee for Employment and Social Affairs (EMPL), the Committee for Industry, Research and Development (ITRE), the Internal Market and Consumer Protection Committee (IMCO) and the Committee for Legal Affairs (JURI) have thus far been involved in the process.[2] LIBE will vote regarding the measure in April 2013.[3]

Key amendments

A new draft, which proposed a number of amendments, was released in January 2013, proposed by Jan Albrecht, Rapporteur for LIBE.

Extended Territorial Scope

The Report expands the application of the Proposed Regulation to non-EU based data controllers to cover all data processing activities aimed at (1) offering goods and services to EU residents (even if they are free of charge), or (2) monitoring EU residents in general,

Clarification of Key Concepts

The Report clarifies the concept of “personal data” to cover data relating to individuals who can be singled out,

Changes to the Legal Bases for Data Processing: Legitimate Interest and Consent

The Report limits the scope of the “legitimate interest” legal basis for data processing to “exceptional circumstances,” on the condition that the data controller (1) informs the individuals concerned explicitly and separately, and (2) publishes the reasons for believing that its interests override the interests or fundamental rights and freedoms of the individuals. In turn, the right to be forgotten can be overruled if there is a valid legal reason to do so,

Reinforcement of data subjects' rights

The right of access is strengthened to include a right to data portability, and data controllers would be required to provide and communicate their privacy policies using a multi-layered approach. Profiling of individuals also is further restricted.

Data Protection Officers

The employee-based criterion for data officers is replaced with a new test; data controllers should appoint a data protection officer if they process data relating to more than 500 data subjects a year,

Breach notification, fines and compensation

Data breaches should be notified to the National Supervisory Authority within 72 hours, rather than the 24 originally prescribed. The scope for the highest category of fines has also been increased,

International Data transfers

The report inserts new provisions addressing data transfer requests from courts and authorities in third countries, imposing the need to obtain prior authorization from the national supervisory authorities in certain cases.[4]

UK Government Impact Assessment

Whilst the EU's impact assessment cited annual administrative savings of 2.3 billion euro's, the UK governments assessment suggesting that implementing the new directive could lead to an increase in costs of up to £300 million a year. The key findings of the governments report were:

  • Notifying data loss breaches will cost £90 million per year
  • Subject Access Requests (SARs) Requests will cost £30 million per year
  • Data Protection Impact Assessments (DPIAs) will cost £80 million per year
  • Data Protection Officers (DPOs) will cost £160 million per year
  • ICO costs will increase to £40 million per year
  • Demonstrating Compliance will cost £30 million per year[5]

This rejection of the new directive mirrors the stance of the UK Government since 1984; data protection is seen as more of a cost to businesses and is therefore more important than the protection of the individual. In the statement released to parliament, the Government argued that:

"The UK Government is seriously concerned about the potential economic impact of the proposed data protection Regulation. At a time when the Eurozone appears to be slipping back into recession, reducing the regulatory burden to secure growth must be the priority for all Member States."[6]

Chris Pounder of Amberhawk[7] scrutinised both the EU and the UK governments findings suggesting that the calculations had to an extent been manipulated to support their respective stances. Pounder insinuated that many of the extra costs that would be incurred on the UK's impact assessment are already covered. Consequently, he dismissed cost as an issue facing the Data Protection Regulation.