EU Data Protection proposals – what’s in it for business?

Today saw the launch in Brussels of the European Commission’s proposals to overhaul the EU’s data protection rules.

This is an important piece of legislation, and one which is likely to have implications for many businesses—not just those in the tech sector.  The stated intention of the new proposals is to give consumers “full control” over their own data, whilst also harmonizing the rules applied in each of the 27 EU Member States.

The aim of bringing greater coherence to the patchwork of data protection laws currently in force within the EU will be supported by business; but, as we pointed out in our media statement this morning, harmonization should not be viewed as a prize in itself. Indeed, we think there is a risk that overly stringent rules in this area could stifle the development of new technologies and services.

In this connection, it’s clear that the draft Regulation raises a number of issues which will require careful consideration, including:

- An extremely broad definition of “personal data”, which we think may have unintended consequences for a number of sectors/business models.
- Mandatory responsibility to report data breaches “as soon as possible”—in reality, this is likely to mean within 24 hours.
- A proposed requirement for businesses with more than 250 employees to appoint a dedicated data protection officer to oversee data protection processes.
- Strict provisions around direct marketing.
- Conditions for the “right to be forgotten”, which places the burden of proof for not deleting an individual’s data on businesses.

We are currently reviewing the detailed provisions of the proposed Regulation and will be developing an engagement plan in conjunction with our member companies. Please don’t hesitate to get in touch with our policy team if you’d like to discuss any issues further—including how ICC UK can work with your business on the data protection agenda.