However, the next few years will see a ‘sea-change’ in privacy and data protection law: organisations face a new privacy challenge.
Enter the EU General Data Protection Regulation (GDPR)
Known as the EU General Data Protection Regulation (GDPR), it is expected to be formally agreed in the coming months although won’t actually come into force until mid-2018.
However, after nearly four years of debate and discussion in Brussels, it introduces new aspects that will require a different approach.
It won’t overhaul existing data protection law completely but organisations need to sit up and take note now.
So what’s new?
There has been a wide range of debate about the new regulation: Will it place too many restrictions on the use of data? How will the ‘open’ internet fare? Is it a ‘milestone’ for the digital world?
The devil is in the 200+ pages of text, but there are four specific changes to be aware of now:
1. It aims to deliver ‘one law across one continent’.
In updating the existing framework, the policy-makers in Brussels wanted to take into account the world we live in today where vast amounts of digital information are collected, exchanged and used every second.
They also sought to recognise that this world is global. To this extent, the new law is what is known as a ‘Regulation’.
So, unlike the ‘cookie law’, it will apply consistently across EU markets. However, in reality, many aspects are devolved to national jurisdictions.
2. It’s scope is broad.
The drafters will argue otherwise. But, with a few exceptions, all data is now ‘personal’ whether it directly identifies an individual or not.
Therefore, in practice, a lot more data is swept up in the regulatory net.
3. The new law’s influence stretches beyond European shores in an attempt to recognise the global nature of data.
If an organisation is processing personal data about a person who is in the EU then the rules will apply regardless of where the organisation is located.
4. The penalties for a breach have been ramped up.
For serious violations the fine is €20m or 4% of annual global turnover, whichever is higher.
A need for consistent & practical EU-wide guidance
The political necessity to find an agreement in Brussels before Christmas contributed to many aspects of ambiguity in the final text.
But we should be used to this from policy-makers by now and, while organisations seek legal clarity, this may not be such a bad thing given what was on the table six months ago.
While the Regulation will be done and dusted by the middle of this year, there will be a need for consistent and practical guidance across Europe, particularly on areas such as ‘consent’.
Working with industry, Data Protection Authorities (DPAs), such as the UK Information Commissioner’s Office (ICO), need to produce consistent EU guidance to help deliver practical, realistic and creative ways of achieving compliance.
The experience of the ‘cookie’ law illustrates only too well that we require something that actually works for users: improving their control without interrupting their experience.
What about the Cookie Law?
The revised ePrivacy Directive stays in force for now.
However, it will need to eventually align (specifically Article 5.3 regarding cookies, etc.) with the new Regulation to ensure organisations do not face ‘double-regulation’.
There are many different views on its future and work is already underway to review it in Brussels.
It is clear is that, in the next few years, the data protection and privacy landscape is going to change.
The ICO, the UK body that will enforce the new law, has already kicked off its implementation process and it will soon have a new section of its site dedicated to this.
It is worth organisations following this and the ICO’s updates. Those businesses and organisations that get out in front are likely to gain the advantage.