Since 1984 the Data Protection Act has formed the foundations of what information can be collected and stored on a person and how this information may be handled.
In the European Commisions words, the Data Protection Directive exists “In order to remove potential obstacles to the flows of Personal Data and to ensure a high level of protection within the EU.”
The basic law consists of the following eight principles:
- Companies may not store data other than for a specific purpose.
- Companies may not pass data along to a third party without consent.
- Personal information may not be stored for longer than necessary and must be kept up to date.
- Personal information may not be sent outside the EU without consent or adequate protection.
- Individuals have the right to request what data is held about them (with exceptions such as data that may prevent a crime).
- Larger organisations with complex data processing must register with the Information Commissioner’s office.
- Company departments must have adequate security in place (both actual and organisational).
- Subjects have the right to have factually incorrect information corrected.
These laws exist, for example, to ensure that companies only hold on to your data for as long as there is any involvement between you and the company. It also prevents companies from passing (or selling) your details on to marketing and advertising firms.
Any business, wherever it is located, that places cookies on computers belonging to its customers based in the EU would be subject to the directive.
The new directive means that internet users would now be able to request that companies delete their data unless there are legitimate grounds to retain it with a new “right to be forgotten” law. That internet users can request data portablility (transfer of personal data between companies) is also expected to be included. The key change to be addressed is that any data security breaches must be disclosed within 24 hours. This is thought to originate from the Sony Playstation Network breach in April 2011, when Sony took over a week to inform its customers that their data may have been at risk. As Apple iphones and Googles Android operating system were being investigated last month over concerns they were already breaking existing laws for collecting location data. It could also mean that mobile devices would have to continually inform users that “geo-location” is on with a permanently visible icon as it is argued that it should only be used when neccessary.
The EU’s Justice Commissioner Viviane Reding said:
The new laws would “ensure a smoother exchange of information between member states, police and judicial authorities in the fight against terrorism and serious crime while at the same time protecting people’s fundamental rights to data protection.”
The Executive Vice President EMEA of “Shred-it”, Robert Guice said:
“The Directive and the powers it will give to the ICO will hopefully serve as a timely wake-up call to any business that still does not have a proper data management and destruction system in place.”
Although these new laws would exist to ultimately protect the public, it could cause huge financial and administrative burdens to many businesses large and small.
Resources:
https://ec.europa.eu/info/law/law-topic/data-protection_en
http://ec.europa.eu/commission_2010-2014/reding/index_en.htm
https://blogs.wsj.com/tech-europe/2012/01/23/reding-details-sweeping-changes-to-e-u-data-laws/
Data protection laws are extremely strong across Asia, India, China, Brazil, and the US. Essentially, data must remain within the country of origin (significant issue for offshore/ outsourcing service providers) and the data must remain under the control of the business entity at all times. It is also extremely important that any data analysis with systems like CRM must be significantly stringent to protect the identity and integrity of individual information. I would like to know if the rules in the EU are planning to be stronger than what is already in place around the globe?