Edelman Brussels Tech Briefing

DATA PROTECTION AND PRIVACY

THE EUS LANDSCAPE

DATA

PROTECTION

As the debate currently stands:

Definition of personal data may be extended to also regulate anonymised and pseudonymised data Responsibilities of data processors and data controllers for the protection of consumer data may be clarified Explicit consent may have to be obtained by businesses from consumers before collecting and processing their data Privacy by default may become obligatory The right to be forgotten may allow users particularly of social networks to request their personal data be erased by the data controller to prevent further dissemination Right to data portability may allow consumers to move their data from one service provider to another and to be granted access to their data Privacy by Design may become an obligatory technological solution for ensuring better and more effective protection of consumer data Fines of up to 2% of a companys annual turnover shall ensure compliance and enforcement 24-hour privacy breach notifications shall oblige companies to tighten data security One single data protection authority may only be responsible for multi-national businesses to reduce their costs for compliance Rules for data transfers to entities outside of the EU for processing purposes may be tightened to ensure adequate protection of the privacy of consumers, while best practices such as Binding Corporate Rules will require less administration for multinationals

In 1995, the European Union (EU) adopted legislation (a Data Protection Directive) that determined the framework for the protection of personal data across all 27 EU Member States. This general framework was translated into 27 more detailed national interpretations, followed by even more regional ones. The result of this is that multinational companies are faced with a patchwork of data protection laws causing high administrative and legal costs to ensure compliance with privacy legislation across the board. Whats more, the legislation was drafted at a time when the World Wide Web was still in its infancy. 17 years later, we operate in a much more complex internet environment that has opened doors to great innovation but also to much legal uncertainty on the side of businesses and consumers alike. At the beginning of 2012, the EU proposed a single set of rules that would overhaul the current legislation(s) and reduce red tape for businesses. However, in the age of social networks, security breaches and excessive data collection, the EU is also listening to the concerns of consumers seeking to create trust in the digital economy the potential of which for wealth and job creation has grown to paramount importance. Therefore, the EU is looking for a framework that is fit for the digital age, balancing the necessity to boost the digital single market with the need to give consumers more control over their data. Trust is considered the key to addressing the expectations at both ends.

EXPECT SUBSTANTIAL CHANGES

The debate on the new EU legislation is well underway and all policymakers involved are aiming to reach a first agreement in mid-2013 and adopt a final text by 2014, this means that companies will have to comply with the new set of rules by 2016 at the latest.

CHALLENGES AND RISKS WHY SHOULD BUSINESSES CARE?

A tough stance for global standards?
With the proposed reform the EUs ambition is to establish itself as world leader in data protection regulation. And indeed, what is being decided at EU level is often copied by third countries, impacting businesses and societies far beyond its boundaries. However, a job badly done may also result in a large economy of more than half a billion consumers being walled off, leading to grave economic losses.

EDELMAN BRUSSELS TECH BRIEFING

As it currently stands, the legal framework will not only apply to companies headquartered in the EU, but to ALL companies processing data of EU citizens, irrespective of WHERE the data is processed.

27 trying to become ONE on privacy

While many politicians as well as digital rights groups widely welcome the EUs tough stance on protecting consumer privacy, the reform is also under heavy assault particularly from Member States. The EU decision-making process is based on consensus finding, and combining 27 different approaches to data protection is challenging to say the least. It remains to be seen whether the Irish/ British comparably lenient approach, or Spain, Germany or France will prevail with their strong cultures of privacy and stringent regulations.

The new data protection framework will be crucial for the health and innovationfriendliness of the global Internet economy and thus for economic growth and jobs. The need to give consumers more control over their data will have to be balanced with the call for more accountability on the side of businesses in order for EU consumers to receive cuttingedge services and for companies to drive and capitalise on significant waves of innovation in Europe and elsewhere.
If you are
an insurance broker that processes customer data to assess risks. a company processing and monitoring medical device data a free news service offering content offline, online and on your mobile but funded through advertising a global hotel chain offering your booking services including for transport, sightseeing and even deals online, offline and on mobile a financial service monitoring money laundering or fraud activities a retail company with a multi-channel offering including stores, e-commerce, m-commerce, TV shopping and other media

Is one-size-fits-all the answer to privacy?

Many perceive the reform as too prescriptive, placing heavy obligations and responsibilities on businesses and leaving little breathing space for innovation and technological developments. On the other hand, the definitions of personal data, consent, data controller or data processor are lacking in detail, leaving grey zones and legal uncertainty throughout the entire proposal. The expertise of all industry sectors dealing with consumer data health, tourism, insurance, financial services, etc. will be needed to come up with a future-proof legislation that is based on context and risk of data processing operations rather than a one-size-fits-all approach that could severely hamper the potential of the Internet economy.

then you should care!

WHAT CAN YOU DO?

Although the negotiations are in full swing, the reform will not be finished before 2014, leaving a substantial time frame for influencing and shaping the debate. Politicians at all levels welcome public engagement, including the expertise, technical knowledge as well as best practices of the business community. This will help reaching a final text that balances well the requirements and responsibilities of all stakeholders involved in the digital economy. By translating the policy debate for specific business environments, Edelman Brussels can help companies navigate the complex data protection debate in the EU, provide counsel and intelligence, and spot opportunities for strategic engagement and positioning to limit threats to your business. Edelman Brussels will assist colleagues and clients worldwide in linking activities at EU level to companies global public engagement strategies to achieve tangible impacts on their objectives and performance.

Privacy questions beyond social media

The role of social media and their ambivalent relation to protecting consumer privacy feature strongly in the current debate. Whilst this may seem convenient for many other companies at first sight, it may have potentially adverse effects. Politicians news seems to be largely shaped by the way major Internet players are dealing with personal data, leading to a rather stringent formulation of the data protection regulation, with severe implications for the operations and reputation of the entire business community online AND offline.

For further information, please contact: Martin Porter, Chair, Edelman EMEA Public Affairs General Manager, Edelman Brussels Martin.porter@edelman.com

EDELMAN BRUSSELS TECH BRIEFING