EU data protection reform could be delayed until 2015

The draft Data Protection Regulation may not complete its passage through the EU legislative process until early 2015, in which case it would not come into force until early 2017. The possible delay follows the conclusions of a summit meeting of the heads of Government of the EU Member States on 24 and 25 October in Brussels where the potential impact of the draft Data Protection Regulation on the digital agenda was raised.

The UK wanted to delay the vote as it felt that rushing through the current draft Regulation before the European Parliament and the European Commission come to the end of their five-year term in spring 2014 could harm the interests of businesses. An area of particular concern is the level of fines for breaches of the draft Regulation, which the European Parliament's Civil Liberties Justice and Home Affairs (LIBE) Committee has voted to increase to up to €100m (£85m) or 5% of their annual worldwide turnover, whichever is greater. The original proposals called for penalties of up to €1m (£850,000) or 2% of worldwide turnover, so this represents a significant increase in penalties. (See below for more details.)

David Cameron and Angela Merkel push for a delay
Prime Minister David Cameron said at a press conference after the summit: "The one area where we had some concerns, because the right drafting and thinking hadn't been done, was data protection, where there was a rather false deadline for next year. We got that removed. We do need to have a data protection directive in the EU but the current draft would add a lot of cost to businesses. It's not right, and so I made sure there was no false deadline for next year for that one."

It appears that German Chancellor Angela Merkel also wants a delay so that her Government can reconcile the draft Regulation with Germany's existing data protection legislation in the public sector, which gives German citizens more rights than are currently contained in the draft Regulation. The meeting was dominated by the issue of US secret services monitoring of EU citizens' (including heads of Government) communications.

The heads of Government agreed that: "It is important to foster the trust of citizens and businesses in the digital economy. The timely adoption of a strong EU General Data Protection framework and the Cyber-security Directive is essential for the completion of the Digital Single Market by 2015." This language is vague and despite the statement by David Cameron above, the European Commission may still push the Council of Ministers to agree the Council's amendments to the text at its December meeting.

Council of Ministers still making amendments
The Council of Ministers is still making amendments to the Commission's original text from January 2012. Much of the technical detail is being left to a working party made up of civil servants from the relevant ministries in the Member States which continues to meet regularly. The possible delay until 2015 will give the Council of Minsters more time to consider the text in detail. The next ministerial level meeting takes place at the beginning of December.

Trilogue negotiations to follow
In order for the draft Regulation to be passed in to European Union law, the Council of Ministers, the European Commission and the European Parliament must all agree on the same text. Since the Council of Ministers' version of the text once they have agreed their suggested amendments is likely to be completely different from the European Parliament's version of the text, the three parties will have to enter three-way (trilogue) negotiations to resolve their differences.

The trilogue negotiations are likely to start as soon as the Council of Ministers has agreed its version of the text. To date the Council of Ministers has resisted moving to a quick agreement on the text before it has considered it in detail. The Council will no doubt use the conclusions of the European Summit above to support its position.

The Council of Ministers recognises that it is important to get the detail right, given that the current draft Regulation may last for 20 years, as is the case with the current Data Protection Directive which was passed into European Union law in 1995. If the European Commission does push the Council of Ministers to a vote then it will be interesting to see the outcome of the vote, which will be based on a weighted majority system according to the population of the EU Member States. There could well be enough countries supporting a delay until 2015.

What are the key issues for direct marketers in the LIBE Committee's amendments?
The latest vote on Monday 21 October by the LIBE Committee on amendments to the draft EU Data Protection Regulation will, if adopted, severely restrict how legitimate businesses use data to market their goods and services to consumers as they reintroduce some of the more problematic changes proposed in January by LIBE Committee Rapporteur Jan Philip Albrecht MEP, who is well-known for his campaigning for stronger data protection laws. In general, the amendments introduce vague language and there is often a conflict between the wording in the main body of the draft Regulation and the introductory wording. The areas of particular concern are:

1. Fines of up to 5% of annual worldwide turnover
   Businesses who break data protection rules will face fines of up to €100m (£85m) or 5% of their annual worldwide turnover, whichever is greater. The original proposals called for penalties of up to €1m (£850,000) or 2% of worldwide turnover, so this represents a significant increase in penalties.
2. Right to erasure/right to be forgotten
   It strengthens the right to be forgotten. An individual will have the right to have their personal data erased if they request it. That business would then also be legally obliged to forward that request to other businesses where the data is replicated. This is of particular concern for digital firms such as search engines, social networks and cloud providers.
3. Direct marketing as a legitimate business interest
   The legitimate business interests case for collecting and processing of data will be restricted to direct marketing by post or where the direct marketing relates to similar products and services. Opt-in consent will be required for all other direct marketing channels (Currently post and telephone channels are opt-out/unsubscribe and there are no restrictions on the types of products and services that can be marketed on an opt-out/unsubscribe basis.)
   
   The amendment represents a severe restriction on direct marketing and is a major step backwards. Earlier this year, the advertising and marketing industry lobbied successfully for a more balanced approach by the Council of Ministers that would allow the disclosure of personal information to other marketers to be included as a legitimate business interest provided the following conditions were met:
   • The individual is aware that the first-party marketer will disclose their details to the third-party marketer
   • The first-party marketer offers the individual the right to opt out/unsubscribe from having their post and telephone contact details passed on to the third-party marketer and it is clear to the individual how to do this
   • The third-party marketer clearly shows the individual that they got their details from the first-party marketer and offers them the chance to unsubscribe from further direct marketing by post and telephone
4. Consent
   The LIBE amendments expand the explicit consent requirement for gathering and using data. They call for "explicit indication of the individual's wishes" in the form of "clear affirmative action that is the result of choice" by the individual – consent cannot be inferred from silence, mere use of a service or inactivity.
   
   This implies that an opt-out/unsubscribe mechanism for gaining consent may no longer suffice. (Currently consent can be implied if an individual doesn't unsubscribe or opt out, as long as the opt-out mechanism is clear and the individual is aware of the consequences of not opting out.)
   
   Marketers will not be able to rely on consent if the reason for processing the data no longer exists. For example, if an individual cancels a service (eg annual insurance) the marketer can no longer send the person a marketing communication when the insurance is due for renewal, unless it collected the individual's permission to do so when the service was cancelled.
   
   An individual's consent to the processing of personal information will also be invalid when the processing of personal information is no longer necessary for carrying out the purposes for which the personal information was originally collected. So, using the same example as above, the insurance company would not be able to rely on consent to process a customer's personal information, if that customer no longer had any relationship with the insurance company.
5. Profiling
   Amendments to profiling are particularly worrying for direct marketers who rely on automated processing for credit-scoring, as they will have to carry out a human assessment and individuals must be given a clear explanation of this assessment. Where profiling has legal effects on the individual, significantly affects their fundamental freedoms and rights or has a discriminatory effect on the sensitive categories of personal information (eg race, religion, trade and union membership) profiling would be prohibited altogether.
6. Data security breach notification
   One welcome amendment is the removal of the 24-hour time limit in which data security breaches have to be notified to the relevant national data protection authority and to affected individuals. Under the amendment, the notification has to be carried out "without undue delay".
7. Requirement to appoint a data protection officer
   Any organisation that processes personal information of 5,000 individuals in any 12-month period must appoint a data protection officer. What's more, if an organisation processes fewer than 5,000 individual records but the information processed includes, sensitive personal information, location data, children's personal information or personal information relating to their employees in large scale filing systems then they must also appoint a data protection officer. Organisations will also be required by law to appoint the data protection officer for a minimum of four years (previously the minimum term was two years).
8. The individual's right to claim compensation
   Individuals who have suffered damage (including a non-financial one) can claim compensation for breaches of the Regulation. This would mean that an individual woken up by an unsolicited telemarketing call could claim damages for being disturbed.

The European Parliament has announced that it will hold a vote of all MEPS to adopt the LIBE report in April 2014 just before the Parliament finishes for the European Elections in May 2014. This will firmly fix the Parliament's position on the draft Regulation. The vote will be held regardless of whether the Council of Ministers have come to a formal position or the trilogue negotiations are still ongoing. The DMA will continue to lobby for a more risk- based approach, one with a fairer balance between the personal right to privacy and the legitimate needs of businesses The DMA will keep members updated of developments.