Although ‘the paperless office’ is still a way off, we are all now processing and storing more digital material than ever. One consequence of this shift to digital-only working is that of data protection.
Reflecting this change in the way data is used, the European Commission (EC) has published proposals for a major overhaul of data protection legislation. Presently the law is scattered across an array of directives and member states’ own legislation. The new framework comes in the form of a regulation, meaning that it would be binding without the need for implementation at national level.
Since significant changes could be implemented as early as next year, businesses will want be aware of the potential impact of these.
Individual rights
What is immediately striking is the general drive to give greater protection to individuals’ rights. New definitions make it clear that ‘personal data’ includes anything that can identify an individual. This would apply whether the data were held by the data controller or a third party that, when combined, could identify someone. (Currently in the UK, the same data controller must hold all data necessary to identify an individual.) In practical terms, this could be important where rights holders hand over IP addresses to internet service providers as they can no longer argue that IP addresses are not personal data. Individuals would also gain the ‘right to be forgotten’, enabling them to have their data deleted unless there is a compelling reason to retain it.
Implied consent
There are attempts to move away from the idea of implied consent for the use of data. The UK currently allows data controllers to work on this basis but it is likely that people will have to give much more explicit consent for their data to be used and stored. It is not yet clear what this would mean in practice but probably the days of merely ticking a box online will become a thing of the past.
Cross-jurisdictional issues
An interesting aspect to emerge is the potential cross-jurisdictional effect of the regulation. The rules extend to data controllers outside the EU if the processing relates to either the offer of goods or services to data subjects within the EU, or the monitoring of their behaviour.
This would bring large US companies such as Google, Facebook and Bing into the new regime because of their use of methods like targeted advertising and tracking. Interestingly, EU law defines a child as ‘under 18’ but in the US it is ‘under 13’. This disparity could have huge implications for social media so we can expect heavyweight lobbying in an effort to water down the scope of the proposed change.
If the regulation survives in its present form, businesses of all sizes will be affected. The investigative and enforcement powers of data protection authorities would be significantly strengthened. Individuals’ rights would also be beefed up. Businesses would have to be far more open and transparent about the way they store and transfer data.
Inevitably there will be a knock-on for businesses in terms of the greater administrative burden as well as adapting to a raft of other changes. There is still work to be done but there is a clear impression that data protection is going to become a much bigger issue for every business.
As always, if you need commercial and pragmatic legal advice, we’re here to help so please get in touch.
This September brings change to the use of standard contractual clauses (SCCs) governing data transfers from the EU and EEA. In June this year, the European Commission published two sets…
On Christmas Eve, the nation was informed that the UK and EU had struck a Brexit deal. The transition period is now over, and a clearer picture of the future…
The media flurry around the introduction of the General Data Protection Regulation (GDPR) in May 2018 has quietened, but organisations shouldn’t be lulled into a false sense of security. The…
Our website uses cookies to improve your experience while you navigate through our website. Out of these cookies, the cookies that are categorised as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyse and understand how you use our website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies but it may affect your browsing experience on our website. You can find our cookie policy here.
Necessary cookies are absolutely essential for our website to function and enable core functionality such as security and accessibility. These cookies do not store any personal information. You can block these cookies by changing your browser settings, but this may affect how the website functions.
We use performance cookies such as Google Analytics to help us count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. The cookies collect information in a way that does not directly identify anyone. For more information on how these cookies work, please see our cookie policy.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Cookie
Duration
Description
__cf_bm
30 minutes
This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Cookie
Duration
Description
_ga
2 years
The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-562889-3
1 minute
A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid
1 day
Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
vuid
2 years
Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
