How EU data rules will hit IT contractors

On January 25th 2012, the European Commission published a proposed new regulation [1] governing the processing of personal data.

‘Comprehensive reform of data protection rules’

The provisions combine new requirements with elaboration of existing requirements, leaving less room for misapplication. Some existing procedures are simplified (for example by removing the ‘general registration’ requirement).  On the other hand, in several areas, the regulation creates stricter obligations on those who hold and use data relating to individuals.

In this overview, writes Olivia Whitcroft, solicitor and principal of OBEP, an information law specialist, I will highlight the overall aims of the revised law and discusses a few significant changes, with a focus on issues in the provision of technology and data services. I will also spell out the likely impact of the proposed framework on individual IT contractors working on behalf of a client-organisation.

[1] Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)

Why have the new rules come about?

A reform of EU data protection law has been on the cards for several years now, to update the directive drafted in the early 1990s. Key aims are to adapt to the rapid increase in the amount and value of data used by businesses, the technologies and methods by which data is shared and used (particularly by means of the internet) and the global market for business and social operations.

It is also hoped that the new law will address practical issues which have arisen in the interpretation and implementation of existing law, by harmonising, clarifying and simplifying certain obligations. 

If adopted, the regulation would replace current data protection law and apply throughout the European Union without the need for further implementation (in contrast to the current data protection directive, which is implemented in the UK by the Data Protection Act 1998).   

Direct obligations for IT contractors (and other service providers)

The proposed new obligations for data processors would have a big impact on technology and data service providers.  The existing legislation only imposes obligations on the “controller”, being the party who determines the purposes for which and the manner in which personal data is processed - which, if you are an IT contractor, would often be your client.   

The “processor,” which would include an IT contractor acting on behalf of its client, currently has no direct obligations to comply with the law (although should have appropriate contractual obligations to the controller).  

It is now proposed that such processors will have certain direct responsibilities for compliance, meaning that regulators and data subjects could take action against them for non-compliance (as well as the controller).  Obligations include to keep data secure from misuse, loss or damage and to retain certain records relating to their use of personal data. 

For IT contractors, this means that data protection would no longer be only a matter of complying with the terms of your contracts with your client, as there would also be direct consequences (including financial penalties – see below) at law if you get it wrong.  So IT contractors would not only be liable to their customers for handling personal data (as is the case now) but also to data subjects and the regulator.   

‘Breach notification’ requirement

The proposed regulation introduces a new requirement for breaches of security to be notified to the relevant supervisory authority (in the UK, currently the Information Commissioner’s Office).  Such breaches must also be notified to individuals where their privacy is likely to be adversely affected. Processors, which would include IT contractors, must promptly notify the relevant controller of such a breach.  This is a seemingly wide obligation, in contrast to the current voluntary notification scheme (in the UK), which is typically only used for substantial breaches.

Global data transfers and sub-contracting

The proposed law creates more potential options for allowing data transfers outside the EU. For example, there are more ways for standard contractual clauses to be approved. However, the provisions do not appear to address all the issues posed by globalisation. In particular, with a continuing requirement for each processor to be "legally bound" to the controller, it is unclear how this will be met within multiple sub-contracting structures, often involving overseas entities.  Such structures are increasingly common with developing technologies such as cloud services. 

Penalties for non-compliance

The regulation prescribes maximum fines for non-compliance of the requirements. The level of fines varies depending on the breach, but they go up to two per cent of annual turnover, or €1million (greater than the current UK fines).

Should you, or your client, be responding now?

The proposed regulation is not yet law and must now be considered by the European Parliament and the EU Council, who may reject it or propose amendments.  Once (or if) it is adopted, there is a proposed period of two years before it comes into force. 

This seemingly gives organisations a long time to adapt to the new requirements.  However, it may be prudent for businesses to start thinking how they may be impacted by the new regime when implementing or reviewing new data systems, to avoid further big changes down the line. IT contractors can be thinking about their own potential compliance requirements, as well as how they could help clients with the development and procurement of compliant technology and systems.

Editor’s Note: This article provides general guidance and views on the proposed new data protection regime for the European Union; it should not be relied upon as legal advice.

 

Feb 08, 2012