Venyu Blog

We all know that one of the great benefits of “the cloud” is that it’s borderless. Which means a North American business with European locations (or, conversely, a European-based company with North American offices), can host their data in provisioned data centers of their choice, classified neither by zip code or country.

A proposed new European Union data protection law, however, not only has sublime implications on privacy rights and how they are enforced throughout the continent, but also on how data breaches are announced, by whom and what degree of penalty to which they would be subject.

To paraphrase a key line in J.R.R. Tolkien’s masterwork, Lord of the Rings, The General Data Protection Regulation or the “one law to rule them all” would measurably and substantially expand the EU’s powers including enforcing a 24-hr rule to notify authorities and effected customers in instances when the private data they hold is compromised.

As for those penalties? I think Patricio Robles writing in econsultancy.com puts it best:

The penalties for non-compliance with the new laws will be fierce: under the proposed language, each violation could result in a penalty of up to 5% of the violator’s annual worldwide revenue. As Whittaker notes, this could equate to $1.1bn for each hypothetical Microsoft violation, and $430m for each hypothetical Google violation.

Under the proposed legislation companies would also be liable for customer data sold to third parties without authorization and data transferred to social networks or cloud-based services.

The new regulations would apply to the European subsidiaries of organizations based outside the EU, forcing multinationals to strengthen their data protection policies. This includes requiring companies with more than 250 employees to provision resources dedicated exclusively to manage data protection programs.

In a recent speech to digital and cloud computing representatives, Viviane Reding – Justice Commissioner for the EU – claimed cloud computing brought both businesses and consumers enormous potential for growth but aged legislation needed to be brought up to date.

As currently drafted the legislation mandates that companies must abide by the data protection rules of their country of establishment within the EU instead of applying different national laws of the states where they operate, as it is the case now. In essence, the commission is proposing a ‘one-stop-shop’ —one law and one single data protection for each business.

 According to this exceptional summary by Zach Whittaker in ZDNet, if this legislation passes muster more stringent data protection requirements await any U.S. businesses setting up locations in Europe, even if they are headquartered in the U.S.

The draft legislation includes the following elements:

• As the regulation would be top-down from Brussels, the home of the European legislative bodies, it will provide near-complete harmonization of all future data protection laws.
• The regulation again would force companies with operations in multiple European member states subject to the jurisdiction of one state’s legal system, including its data protection laws. The designated headquarters of their European office determines this.
• Data processors, such as Microsoft and Google, who merely store and manage data through its services, will be under many of the same obligations as data controllers, such as businesses and universities that own data.
• Both data controllers and data processors will be made to sign an agreement allocating equal responsibility for data between them. Should an agreement not be made, both parties would be jointly responsible for all processing, and any data loss or privacy breaches.
• Companies outside Europe — such as the United States — will continue to be subject to European law, if they have a European-based office, or European customers.
• Opt-in consent will be made obligatory. This relates mostly to data processing for marketing, but this will require explicit consent to the data owner before companies can perform such actions.
• The “right to be forgotten”. Though this has come up against criticism from the UK’s data protection authority, measures will be put in place to allow European citizens’ to have their data deleted by private companies.
• If a company suffers a data loss or breach, both the data protection authority and the individuals must be informed within 24 hours of discovering the breach.
• For public sector companies, or any company with more than 250 employees, internal data protection officers would be mandatory.
• The Article 29 Working Party will be renamed to the “European Data Protection Board”, which would be the executive body of all member states’ data protection authorities.
• The Commission will be granted the power to issue interpreting provisions of the regulation, allowing member states to delegate high-level cases directly to the European powerhouse.

The EU legislative process can take two or three years before the draft legislation becomes law. The current directive was ratified in 1995, but took an additional three years before the 27 member states of the European Union enacted the law into their own legal system.

The final 116-page version of the draft will be presented at the World Economic Forum in January 2012.

More information about the EU General Data Protection Regulation can be found here.