Data protection reforms as drafted would 'stifle growth and innovation', UK trade and business bodies say

Out-Law News | 02 May 2012 | 3:11 pm | 5 min. read

Planned changes to data protection rules in the EU would "stifle growth and innovation in the UK", five trade and business groups have said.

In an open letter to ministers the groups said small businesses would be hit "hardest" by the reforms currently proposed. 

The letter was sent on behalf of the UK's Internet Advertising Bureau (IAB) and Direct Marketing Association (DMA), the Federation of Small Businesses, Interactive Media in Retail Group (IMRG) and the Coalition for a Digital Economy (Coadec). The groups hope the Government "strongly emphasises" their concerns when debating the reforms with EU counterparts and builds "allies" to obtain changes to the way those reforms are drafted.

The groups said that whilst they welcome plans to "streamline" EU data protection laws and make them more "relevant" for the internet age, the current proposals would harm the ability of small firms to do business.

"We strongly believe the responsible use of data can bring significant benefits to consumers, to business, to government and the public sector, and to the UK economy as a whole," the groups said in their letter (2-page / 136KB PDF). "A more restrictive and prescriptive regime for the use of this data, as is being proposed, risks denying small businesses and retailers the revenue they require to support, drive and develop their activities."

"But – importantly – the proposals do not just risk chilling the evolution of business models. They would also place significant burdens on existing businesses, in the form of unnecessary and burdensome red tape. Rather than saving businesses money we believe that the proposals will make it more difficult to do business in the UK and across international borders," it said.

The groups' letter said that a survey of British businesses had revealed that 87% would be unable to comply with the Commission's proposed new rules on data breaches and that 72% believe "the rules would result in over-disclosure."

In January the European Commission set out plans to replace the 1995 EU Data Protection Directive with a new General Data Protection Regulation. If enforced it would introduce a single data protection law across all 27 EU member states, in contrast to the Directive, which does not require word-for-word implementation into national law.

Companies whose data processing operations are based outside the trading bloc would be subject to the new rules when processing personal data of EU citizens. The Commission also laid out plans for a separate Directive to govern the way law enforcement processes personal data.

The draft Regulation outlines plans to force companies that experience a breach of personal data to inform regulators and any individuals concerned with certain information about the breach "without delay and, where feasible, not later than 24 hours after having become aware of it". The information should include recommendations over what people can do to "mitigate the possible adverse effects of the personal data breach".

Under the plans regulators will have the power to fine businesses up to 2% of their annual global turnover for failing to notify breaches or for other serious breaches of the Regulation. Organisations not engaged in economic activity can be fined up to €1 million for serious breaches.

However, UK data protection watchdog the Information Commissioner's Office (ICO) said in February that it is "unrealistic" to expect organisations to report personal data breaches within 24 hours and that not all breaches should be reported to the public. The ICO also said that regulators will not be able to hold companies based outside the EU accountable to the proposed new regime unless current enforcement mechanisms are changed.

Other prominent measures included in the draft new data protection laws that would affect businesses include a requirement for firms of any size whose "core activities ... consist of processing operations which ... require regular and systematic monitoring of data subjects" to appoint a data protection officer (DPO). 

DPO's would also have to be appointed by businesses with more than 250 permanent staff as well as public bodies. The officers would be responsible for advising the organisations on data protection issues, monitoring the implementation of their data protection policies and adherence with the law and be the point of contact for regulators.

Businesses would also be required to keep a record of their personal data processing and provide the information upon request to regulators under the terms of the draft Regulation.

Organisations operating in the EU would also generally have to obtain explicit, freely given, specific and informed consent from individuals in order to be able to lawfully process those individuals' personal data under the laws being proposed. Consent would not be able to be gleaned through silence or inactivity on the part of individuals and instead would have to be obtained through a statement or "clear affirmative action" before it could be said to have been given.

Organisations could justify processing personal data without consent in select circumstances, including if the "legitimate interests" of the organisation outweighs the fundamental rights of the individuals concerned. However, in the case of direct marketing for commercial purposes, consent would be required before personal data can be processed, the proposals said.

The draft Regulation also contains plans to give individuals a general 'right to be forgotten' to force organisations to delete personal data stored about them "without delay". Organisations that make the data public would be liable for third-parties re-publishing the information and would be required to "take all reasonable steps, including technical measures" to inform them to delete the information.

In their letter the five business groups said the impact that the Commission's proposals would have on small businesses had not been fully "clarified" and that a full analysis of how the reforms would affect those firms' "competitiveness" had also not been undertaken. The Government should "ensure that the European Commission gets the balance right between safeguarding individual rights and enabling a business-friendly playing field," they said.

"We urge the Government to ensure that the UK champions the cause of small and medium-sized enterprises. We need to ensure the UK retains its lead as Europe’s leading small business, ecommerce, advertising and digital hub," the groups' letter said.

Marc Dautlich, expert in data protection law at Pinsent Masons, the law firm behind, previously expressed concern about the "burdens" that the new laws could have on businesses. He said that medium sized companies would "balk" at having to employ a data protection officer even if they did not process much personal data.

Dautlich also said that giving organisations only 24 hours to report data breaches was an insufficient amount of time for those companies to assess the impact of those breaches and recommend effective remedies to customers.

The European Commission's proposals have already been heavily criticised by UK business representatives. In March the Confederation of British Industry (CBI) said the Commission's plans were "unworkable" in their current form.

The CBI expressed concern over the complexity and uncertainty that it said the new laws would bring and said that the reforms may place businesses at a competitive disadvantage compared to organisations that operate elsewhere in the world.

The Government opened up a 'call for evidence' on the Commission's proposals earlier this year. The Ministry of Justice (MoJ) said at the time that it would use the information provided to shape how the Government would negotiate over the planned reforms. The call for evidence closed on 6 March and a paper summarising the responses is due to be published on 4 June.