Get in Touch Menu

New dawn for data protection

20 November 2012

Although ‘the paperless office’ is still a way off, we are all now processing and storing more digital material than ever. One consequence of this shift to digital-only working is that of data protection.

Reflecting this change in the way data is used, the European Commission (EC) has published proposals for a major overhaul of data protection legislation. Presently the law is scattered across an array of directives and member states’ own legislation. The new framework comes in the form of a regulation, meaning that it would be binding without the need for implementation at national level.

Since significant changes could be implemented as early as next year, businesses will want be aware of the potential impact of these.

Individual rights

What is immediately striking is the general drive to give greater protection to individuals’ rights. New definitions make it clear that ‘personal data’ includes anything that can identify an individual. This would apply whether the data were held by the data controller or a third party that, when combined, could identify someone. (Currently in the UK, the same data controller must hold all data necessary to identify an individual.) In practical terms, this could be important where rights holders hand over IP addresses to internet service providers as they can no longer argue that IP addresses are not personal data. Individuals would also gain the ‘right to be forgotten’, enabling them to have their data deleted unless there is a compelling reason to retain it.

Implied consent

There are attempts to move away from the idea of implied consent for the use of data. The UK currently allows data controllers to work on this basis but it is likely that people will have to give much more explicit consent for their data to be used and stored. It is not yet clear what this would mean in practice but probably the days of merely ticking a box online will become a thing of the past.

Cross-jurisdictional issues

An interesting aspect to emerge is the potential cross-jurisdictional effect of the regulation. The rules extend to data controllers outside the EU if the processing relates to either the offer of goods or services to data subjects within the EU, or the monitoring of their behaviour.

This would bring large US companies such as Google, Facebook and Bing into the new  regime because of their use of methods like targeted advertising and tracking. Interestingly, EU law defines a child as ‘under 18’ but in the US it is ‘under 13’. This disparity could have huge implications for social media so we can expect heavyweight lobbying in an effort to water down the scope of the proposed change.

If the regulation survives in its present form, businesses of all sizes will be affected. The  investigative and enforcement powers of data protection authorities would be significantly strengthened. Individuals’ rights would also be beefed up. Businesses would have to be far more open and transparent about the way they store and transfer data.

Inevitably there will be a knock-on for businesses in terms of the greater administrative burden as well as adapting to a raft of other changes. There is still work to be done but there is a clear impression that data protection is going to become a much bigger issue for every business.

As always, if you need commercial and pragmatic legal advice, we’re here to help so please get in touch.

Contact us

Disclaimer: All legal information is correct at the time of publication but please be aware that laws may change over time. This article contains general legal information but should not be relied upon as legal advice. Please seek professional legal advice about your specific situation - contact us; we’d be delighted to help.
Matthew Clayton MA LLM (Cantab), CIPP/E
View profile
Mathew Clayton
Related services
Share this article
Resources to help

Related articles

ICO’s new guidance on responding to data subject access requests

GDPR & data protection

On 24 May, the ICO published its updated guidance for businesses and employers on responding to data subject access requests (commonly referred to as ‘SARs’ or ‘DSARs’). Based on the…

Klára Grmelová MGR (LLM Czech)

New UK data protection regime – what to expect

GDPR & data protection

Less paperwork for organisations, fewer data collection pop-ups for the wider public, and more than £4 billion saved over next 10 years – these are just a few outcomes that…

Matthew Clayton MA LLM (Cantab), CIPP/E

SCCs: New rules governing cross-border data transfers and data exchanges from the EU and EEA

GDPR & data protection

This September brings change to the use of standard contractual clauses (SCCs) governing data transfers from the EU and EEA. In June this year, the European Commission published two sets…

Kym Fletcher LLB (Hons) Euro
Consultant, solicitor
Contact us