Out-Law News | 29 Jun 2012 | 2:35 pm | 6 min. read
The Ministry of Justice (MoJ) said that the Commission's assessment on the impact its draft General Data Protection Regulation would have on businesses does "not properly quantify the costs which would be imposed on business through compliance with the proposals."
It added that the Commission had also "potentially" overstated the benefits of creating a single data protection law to govern across the EU.
"The [Commission's] Impact Assessment does not assess the cost of many measures that will have an impact on business (including small businesses), such as strengthened subject access rights and the 'right to be forgotten', while also under-estimating the cost of those measures that are quantified, such as the cost of compulsory Data Protection Officers in large corporations and those processing 'risky' data," the MoJ said.
The Government department said it would work to "try to better quantify the costs and benefits of the Commission's proposals on the UK economy" as well as seek "to better understand" the benefits of having a single-applicable data protection law in the trading bloc.
"This assessment of the impact will help to inform the UK's negotiations with the EU and ... it is our intention to publish our analysis" before the end of the year, the MoJ said.
The MoJ detailed its intentions in a document containing a summary of responses (84-page / 451KB PDF) it had received to its call for evidence on the Commission's proposed data protection reforms. The draft General Data Protection Regulation (119-page / 589KB PDF) was published by the Commission in January, although ministers from the EU member states and the Commission have already begun revising its content.
If enforced, a data protection Regulation would introduce a single data protection law across all 27 EU member states. The Commission's intention is for the new laws to also apply to companies that process personal data of EU citizens from outside the borders of the trading bloc, although the UK data protection watchdog has questioned whether that would be enforceable.
The MoJ said that it would try to negotiate major changes to the Commission's draft plans in order to make the proposed regime less burdensome for businesses. It said that it would "resist new bureaucratic and potentially costly burdens on organisations which do not appear to offer greater protection for individuals."
An example of the bureaucratic and costly measures included within the Commission's draft is the plan to introduce a mandatory requirement that organisations conduct data protection impact assessments where the personal data processing presents "specific risks" to individuals' rights, the MoJ said.
Requiring those organisations to seek prior authorisation from regulators for that processing is also disproportionate, it added. A "large" number of respondents had claimed that it would be "very onerous" for companies to wait for approval of outsourcing contracts and that it could potentially delay outsourcing transactions. Others said that regulators could be swamped with approval requests and that individuals would see it as a "nuisance" when organisations seek their views during the impact assessment process.
The MoJ added that requiring all companies with more than 250 permanent staff to employ data protection officers would also add disproportionate costs to achieve the safeguarding of personal data. Whilst the Commission has estimated that the cost of employing data protection to be €320 million each year across the EU, the MoJ estimated that the cost to businesses in the UK alone could be estimated at £147m.
The summary of responses document outlined concerns expressed with the Commission's plans from across different industries, including media, IT and financial services. The telecoms sector said that its assessment of the "implications" of the proposed new framework was that it would "result in significantly increased complexity and cost that will outweigh any potential cost-savings."
Organisations said that ensuring that existing information they hold complies with the new laws "would have a financial impact on them". A respondent from the media industry estimated that it would cost £10-15 million to comply with the "data minimisation principle". Under the Commission's draft proposals organisations processing personal data must make sure that information is "adequate, relevant, and limited to the minimum necessary in relation to the purposes for which they are processed."
New rules around individuals' consent to personal data processing could also result in "considerable" printing and storage cost burdens for businesses, respondents said.
Under the Commissions proposals organisations operating in the EU would have to obtain explicit, freely given, specific and informed consent from individuals to rely on consent as a legitimate ground for processing personal data. Consent would not be able to be gleaned through silence or inactivity on the part of individuals and instead must be obtained through a statement or "clear affirmative action" before it can be said to have been given.
However, one credit reference agency said financial services firms could be particularly affected by increased costs in defending against claims by individuals that they had not given their consent to processing.
"With the burden of proof now with the data controller it may be that every challenge by a consumer (or organisation acting on the consumer's behalf) will require, in the case of a credit reference agency search being challenged, a copy produced of the original consent obtained by our client at the time they carried out the search of our database," the credit reference agency said. "This may prove very costly, highly bureaucratic and time consuming for both us and our clients should organisations such as claim management companies target such activity."
The MoJ outlined its intention to seek an "overhaul" of the current drafting of new rules on individuals' so-called 'right to be forgotten'. It said it would seek changes "given the practicalities and costs and the potential for confusion about its scope for both organisations and individuals." However, it added that individuals should have the right for the personal data to be deleted "where this is appropriate". Some businesses have estimated that the cost of "changing their business processes" to comply with the right to be forgotten could be as much as £100,000.
Provisions contained in the draft Regulation enable individuals to force organisations to delete personal data stored about them "without delay". Organisations that have made the data public will be liable for the data published by third parties and will be required to "take all reasonable steps, including technical measures" to inform them to delete the information. However, organisations can oppose the deletion if they can show they have a right to publish the data under the principle of freedom of expression or if it is in the public interest for the data to remain in existence.
Other respondents questioned whether requiring businesses to build-in privacy by default into new service designs would bring more benefits than costs.
Concern was also raised that planned new 'data portability' rules do not allow for organisations to protect their trade secrets and intellectual property rights. The Commission's plans provide consumers with a general right to switch electronically processed personal data from firm to its rival through a "commonly used" electronic format. Businesses said that the costs involved in changing systems to comply with data portability requirements could be as much as £5m and that those costs would likely have to be absorbed by consumers.
Plans for the detail for the operation of the proposed new data protection regime to be fleshed out in 'delegated acts' drawn up by the Commission were also criticised. Businesses had said that if the Commission dictated the "technological format and specifications" to be used, such as in relation to compliance with the data portability rules, it could leave companies "at a financial loss" where those firms had already developed and invested in alternative industry standards.
The MoJ said that a review of the "monetised costs" of compliance of current UK data protection laws had estimated that data controllers spend around £53m meeting the requirements of the laws and that an extra £1m is borne by the justice system enforcing the framework. The review had concluded, though, that the "true cost of compliance" was likely to be higher.
"The [review] also found non-monetised costs which included extra staff hired to ensure compliance with the [Data Protection Act (DPA)], costs for those who have received penalties, as well as impacts where the incorrect application of the DPA has stopped organisations sharing information," the MoJ said.