Out-Law News 6 min. read
20 Mar 2012, 10:41 am
The Confederation of British Industry (CBI) said draft legislation published by the European Commission in January was "unworkable" in its current form.
"Regulations that add complexity and uncertainty will be bad for European businesses and consumers, and will not deliver on aims to create 'future-proof' European data protection rules," the CBI said in a report (9-page / 2.39MB PDF) on the planned reforms.
"At worst we fear that the proposed changes may put European businesses at a competitive disadvantage. There is also a real risk that the proposed changes will deprive European consumers of the chance to engage in new, innovative and highly beneficial markets which become available to consumers elsewhere in the world," it said.
The CBI expressed concern about proposed new rules for obtaining individuals' consent to the processing of their personal data. Organisations operating in the EU will generally have to obtain explicit, freely given, specific and informed consent from individuals in order to be able to lawfully process their personal data under the proposed General Data Protection Regulation drafted by the Commission earlier this year.
Consent would not be able to be gleaned through silence or inactivity on the part of individuals and instead must be obtained through a statement or "clear affirmative action" before it can be said to have been given, the proposals said. Organisations can justify processing personal data without consent in select circumstances, including if the "legitimate interests" of the organisation outweighs the fundamental rights of the individuals concerned.
The CBI said that the new consent rules could see internet users swamped with on-screen requests for consent. This would adversely affect users' online experiences and lead to 'tick box' exercise that would have "little or no benefit derived for anyone involved".
"Under the proposals, if businesses do not gain explicit consent from a customer for each data processing operation they carry out, they may have to prove that the processing was in either the customer's 'vital interests' or the firm's 'legitimate interests'," the CBI said. "Given the scope for legal ambiguity in this framework firms may simply judge it safer to gain customers' explicit consent every time a processing operation is carried out".
"Consumers' everyday experiences could be heavily affected ... as carrying out activities such as using price comparison sites or purchasing durable goods may require the user to agree to various forms of data processing and sharing along the way. It is unlikely that a consumer concerned with finding the cheapest flight, or registering a warranty for a newly purchased stereo, will wish to go into detailed explanations of each and every way their data may be processed," the CBI said.
The online advertising industry is also "severely threatened" by the "restrictive controls" placed on personal data processing contained in the Regulation, the lobby group said. These restrictions could also cost other industries reliant on advertising to lose out on revenues, and could also stifle the delivery of new personalised services to consumers, it said.
"Supporting free-to-use online content through selling advertising space us at the heart of many of the most popular websites and online news providers," the CBI said. "But maintaining a revenue stream from online advertising relies on using better quality data to maximise visitor 'click-through' rates. The viability of online advertising is severely threatened by the Commission's proposals, with knock-on effects for many content providers reliant on advertising revenues".
"The Commission must consider the unintended effects of restrictive data protection rules, before European consumers lose out," it said.
The CBI said businesses had welcomed some aspects of the Commission's proposals, including the draft rules that would allow firms with "cross-border operations" to "use a single 'home' data protection authority for all European data protection activities". Companies have also welcomed plans that would see them able to gain approval for 'binding corporate rules' that would govern how they would transfer personal data internationally within organisations, it said.
However, other aspects of the proposals could create "greater headaches for consumers, regulators and businesses alike," the lobby group said.
Rules that would require all organisations with more than 250 employees to appoint a dedicated data protection officer are also "costly and disproportionate," the CBI said. It added that the proposed requirement that organisations report all data breaches to data protection authorities 'without undue delay' could cause "an unhelpful number of notifications" to be made that "may negatively impact the quality of analysis that data controllers can carry out before making notifications".
"Many businesses feel that a more risk-based approach on data breach notifications is required, so that the requirement to notify is only applicable where the threat of material harm to data subjects is identified, or perhaps via the use of a 'traffic light'-style framework for grading data breaches," the CBI said.
Plans to force data protection authorities to issue fines to companies for breaches of the data protection laws were also criticised, whilst the way the Commission has defined "key" terms in the draft Regulation could also lead to "greater uncertainty and legal risk," the CBI said.
The CBI also criticised plans to scrap the charge that individuals in the UK currently must pay in order to force organisations to give them access to the personal data they have stored about them.
Removing the "small administration fee" could see a rise in the number of "malicious" 'subject access requests' and create extra cost to public bodies at the ultimate expense of the taxpayer, it said.
Under the proposed new regime individuals will be given a right that generally enables them to force organisations to delete personal data stored about them "without delay". Organisations that have made the data public will be liable for the data published by third parties and will be required to "take all reasonable steps, including technical measures" to inform them to delete the information.
Organisations will be able to oppose the deletion of information if they can show they have a right to publish the data under the fundamental principle of freedom of expression or if it is in the public interest for the data to remain in existence.
However, the CBI said that the 'right to be forgotten' would not work in practice and would mislead consumers. It called for a "re-definition" of the right to be drafted that takes into account its limitations.
"Many forms of customer data held by, for example, banks, insurers, employers and public authorities are required to be held for specific periods by law," the CBI's report said. "These would not be subject to the 'right to be forgotten' and requests from consumers to have data removed would be frustrated, leading to complaints and litigation".
The group said that difficulties in determining the "ownership" of information published online would also make it difficult for individuals to obtain the deletion of data about them.
"On many online platforms site administrators cannot realistically exercise full control of how posted data may be used or reproduced by third parties, and thus requirements to notify third parties if a user withdraws their persona data are technically unfeasible," the CBI said.
Provisions contained in the draft legislation that would force businesses to transfer the personal data of consumers to rivals under certain circumstances should also be scrapped, the group said. The "redundant measure" is "similar" to access rights already guaranteed to consumers under the Regulation and would "create practical problems for consumers, whilst deterring investment in innovative products and services" and could possibly create "competition problems," it said.
The CBI said that the European Commission had "over-estimated" the financial benefits that would be gained from introducing its proposals and had "overlooked" extra costs businesses would face in order to comply with the new laws. The costs would "include the revision and issuance of new terms and conditions to customers, amending IT systems, revising employee guidance and procedures, training staff and increased monitoring," it said.
The CBI said the extra costs "create a disincentive" for global companies to offer services to EU consumers. The Commission's planned Regulation would, if enforced, introduce a single data protection law across all 27 EU member states. Companies whose processing of the personal data of EU citizens takes place outside the borders of the trading bloc would also be subject to the rules.
"It is not difficult to envisage a situation in which a web-based service physically located in the US asks users during the sign-up process whether or not they are an EU citizen," the CBI said. "If the individual answers 'yes' then access might be reduced or even denied, whereas if they answer 'no' they would essentially exempt themselves from EU data protection safeguards. It is doubtful that this would feel like an improvement from the European consumer's perspective".