The EC Data Protection Proposals Will Be Costly And Complex

European data protection laws will be costly and frustrating, warn Sally Annereau and Debbie Heywood


The UK government is one of the most vociferous critics of the EC draft data protection Regulation which aims to create a new harmonised European data protection framework. However it is certainly not the only government, nor the only regulatory authority to suggest that some of the key proposals in the regulation are either overly prescriptive or simply unworkable.

The ‘right to be frustrated’?

Debbie Heywood Taylor Wessing
Debbie Heywood Taylor Wessing

One of the most controversial proposals is the ‘right to be forgotten’. This gives internet users the right to request deletion of their online personal data in some circumstances. They can request deletion when the data is no longer necessary in relation to the purposes for which it was collected or simply when the data internet users withdraw their consent or objects to their data being stored. On the surface this seems like a promising step forward in protecting personal data. However, in reality, wide exceptions to this right are provided to protect freedom of expression, public interest and public health. For example data will be exempt from this provision if it is collected for historical, statistical or research purposes.

This leads to genuine concerns that the regulation will end up as nothing more than a ‘right to be frustrated’. Internet users will discover that the scope of carve-outs means that the ‘right to be forgotten’ offers shallow promises. Additionally, even where the right can be upheld, it will cause serious issues for online businesses. These organisations will find themselves trying to take down data that has been onwards published by third parties over whom they have no control.

The provisions are onerous, and potentially unworkable for online businesses which may have to trawl through records both in electronic form and hard copy, searching for and deleting references. It is difficult to see how ISPs, hosting platforms and social media networks, in particular, will be able to comply. In addition, it is unclear as to how the exceptions to the right would apply. How are organisations to assess whether or not they fall within one?

The right to be forgotten is so contentious that the UK government was reported to have requested an opt-out. The Ministry of Justice said: “the UK does not support the right to be forgotten as proposed by the European Commission. The title raises unrealistic and unfair expectations [for internet users]. We are also concerned about potentially impossible requirements for [businesses] to manage third-party erasure”.

Sally Annereau Taylor Wessing portrait
Sally Annereau, Taylor Wessing

Data breach notification

The right to be forgotten is by no means the only proposal in the regulation which has been deemed overly prescriptive or unworkable. While it attracts fewer headlines, the current prescriptive requirements for reporting data protection security breaches could be of even greater concern for UK businesses.

As currently drafted, the measure gives organisations just 24 hours to report a security breach to the relevant supervisory authority. In addition, customers must be notified of any breach liable to have an adverse effect unless the data business can demonstrate that it has taken suitable steps to protect the leaked data.

The problems here are obvious: there is no exception for breaches of a relatively trivial nature. This mean businesses will have to notify the relevant data protection authority (DPA) each time there is a security breach. If this happens, the DPAs will be inundated with notifications which they will quite simply not be able to deal with. This over reporting could, ultimately result in ‘breach fatigue’ where business and public alike become de-sensitised to the very real risks of data breach.

It is also virtually inconceivable that businesses and DPAs will be able to cooperate to deal with informing customers of breaches within the given time frames. Even the EU appears to have acknowledged that the time frames specified are unfeasible and it is probable that they will be relaxed in the next draft.

Counting the cost

The UK’s Information Commissioner (ICO) has repeatedly criticised the draft data protection Regulation for being overly prescriptive and concentrating too much on processes rather than outcome.

Both businesses and NRAs will be subject to increased administrative obligations which will lead to increased costs. The UK government has estimated that far from saving money, the annual net cost to the UK alone of implementing the regulation will be between £100 million and £360 million per year with SMEs bearing the brunt of this.

The House of Commons Justice Committee also expects the ICO to face a funding shortfall of around £40 million on the introduction of the Regulation. In the current economy, financial demands of this nature may very well render many of the proposed reforms unworkable at the most basic level.

Sally Annereau is a data protection analyst and Debbie Haywood is a professional support lawyer and Taylor Wessing, a law firm which specialises in IT issues.

Are you a pedant on privacy? Try our quiz!