Compliance with data protection law has for long being regarded by British business as a heavy burden. Over the past few years the burden has become considerably heavier, and the proposal by the European Commission for a General Data Protection Regulation will make it even more onerous.

The present

Partly as a reaction to high-profile data protection breaches, here in the UK, the Information Commissioner was granted swingeing new powers in April 2010 that represented a quantum leap compared to the old enforcement regime.

Some of these powers entitle the IC to fine data controllers up to £500,000 for serious contraventions of their statutory duty to comply with the data protection principles.  Guidance issued by the Information Commissioner's Office ("ICO") explains that fines will or may be imposed:-

  • where the circumstances are serious;
  • where the contravention is likely to cause substantial damage or substantial distress;
  • where there has been deliberate or reckless contravention and a failure to take reasonable steps to prevent it.

In the years that have followed, a succession of data controllers have suffered heavy fines for data protection breaches and there have even been criminal prosecutions for offences under the Data Protection Act 1998.

Other powers granted to the ICO in April 2010 included the entitlement to serve assessment notices on public authorities where (for example) it believed there was non-compliance with data protection principles, and to enter premises and inspect documents.  The ICO has wasted no time in using these new powers.

The future

In January 2012, the European Commission unveiled its proposals for the wholesale reform of EU data protection law.  The principal instrument of reform is intended to be a Regulation which will be directly binding on member states (i.e. there will be no need for any national implementation by member states).

In its press release launching the reform proposals the European Commission claimed that they would make "...life easier and less costly for businesses", although the reaction to the proposals to date suggests that precisely the reverse is likely to be the case.

  • The current draft of the Regulation includes the following reforms:-
  • The definition of personal data will be widened to include location data, identification numbers, and online identifiers;
  • The first Data Protection Principle will be expanded to require processing to be conducted fairly, lawfully and in a transparent manner;
  • All consent by data subjects will need to be explicit;
  • Businesses outside the European Union will be subject to the Regulation if they offer goods or services to EU data subjects, and/or monitor their behaviour;
  • Business with more than 250 employees or which "regularly and systematically monitor" data subjects, will have to appoint a data protection officer;
  • Data processors will have statutory data protection obligations for the first time;
  • There will be a new statutory "right to be forgotten";
  • Data subjects will have a right to a copy of their personal data on a portable format;
  • Businesses will have to notify the authorities of a personal data breach within 24 hours of becoming aware of it (and notify the data subject);
  • The rules on transferring data outside the EEA may be improved for businesses;
  • Finesfrom data protection authorities increased to €1m or 2% of annual worldwide turnover.

UK Plc is dismayed by the additional burdens to be placed on business by the proposed reforms (as are overseas data controllers), and even the ICO has expressed concern at them in various respects. 

There is still opportunity for lobbying on the detail, and the timing of the Regulation remains uncertain, but there seems little doubt that sooner or later the Regulation will change the whole landscape of data protection in this country and the rest of the EU.  The European Parliament has already approved the proposed legislation by an overwhelming majority so it is up to the Council of Ministers to give the final go ahead.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.