Data Privacy and Security

It's UK versus Europe in the battle over data protection

Any observer of the European political scene will be aware that the UK has what’s best described as a semi-detached attitude to the European Union. So, it comes as little surprise that the debate over European data protection is, once again, the UK versus the rest of Europe.

The issue of data protection is a thorny one for the continent’s lawmakers.  The EU announced a draft framework for data protection in January 2014. This was aimed at replacing the existing Data Protection Directive. Rather crucially, the new proposals change the legal basis: a directive has to be interpreted by national governments, who then pass legislation; a regulation means that there’s no need for national laws to be passed.

Much of the debate has centred on how much protection should be given to consumers. And it’s here that there’s the gap between the UK and the rest of Europe. The UK generally favours a softly-softly approach, a more business-friendly ideal. The opposing view is led by Germany, a country with a traditional hard line on data privacy – this, after all, is the country that put limitations on Google when it came to mapping the world.

According to solicitor Conor Ward from Hogan Lovells: “The German attitude, post-PRISM, is to take a very hard line. They’re very concerned about data leakage. It’s the UK, maybe with support from Ireland and the Dutch, against the rest of Europe.”

However, despite their differences, it seems that all parties are moving towards some sort of resolution. The Justice and Home Affairs Council met in early December and there’s more agreement on some of the sensitive areas.  In an official statement, the Council said it had “reached a partial general approach on specific aspects of the draft regulation setting out a general EU framework for data protection. The partial general approach includes provisions which are crucial to the question of the public sector as well as provisions relating to specific data processing situations.”

There was also discussion on another area – the concept of streamlining the legal process. The proposal is for a one-stop shop mechanism to reach a single supervisory decision, which would speed up the process across all the European countries, provide consistent application and legal certainty. Decisions with individual countries would remain under the jurisdiction of that country’s supervising authority

Commenting on the Council’s progress, Andrea Orlando, Italian Minister for Justice and President of the Council, said: "Today we have agreed on two of the most politically sensitive issues on data protection reform. We see this as an important result for the Presidency, and a decisive step towards achieving global agreement on this complex and important file."

However, it’s not all sweetness and light. There remain concerns about the German influence on the process: three of the five rapporteurs guiding the legislation are German, including the lead rapporteur Jon Philipp Albrecht. This has been particularly concerning for UK representatives

But there are further ramifications of the European moves, notably to what extent can laws framed in the EU apply globally. According to Ward, this is not clear-cut as “international cloud service providers say they’re not subject to European law.”

Ward adds we’ve already seen some of the skirmishes that this attitude has led to.

“We’ve had the battle over the right to be forgotten - the Google Spain case. Google argued that they didn’t have a business in Spain but it’s clear: once you have assets in Europe, you’re susceptible to having those assets seized.”

It’s not the only case of Europe versus the US: there’s also been the long-running battle that Microsoft has been mounting with the US Court of Appeal. In April, Microsoft was ordered to comply with a US government search warrant for customer data stored in Ireland: the company has been fighting that judgment ever since. As Microsoft counsel Brad Smith pointed out in a blog post, “the power to embark on unilateral law enforcement incursions into another sovereign country has profound foreign policy consequences. For that reason, the European Commissioner for Justice protested the lower court’s decision, stating that ‘it bypasses existing formal procedures that are agreed between the EU and the US’.”

Wary of the implications of the court decision, Microsoft has garnered a lot of support from other IT companies. In preparing its latest appeal, the company revealed in December that it had letters of support from 28 companies in its case.

Microsoft’s travails reveal how thorny the issue of international law is and what a struggle it has been to get agreement across the friendlier countries of Europe.

Ultimately, the stakes are high. The aim of the new regulation will be far tougher on organisations and their need to protect individuals’ privacy and the law-makers won’t want to miss an opportunity to implement a law with teeth.

The proposed new legislation will mean that organisations will no longer be careless as to where data is being held within the organisation or how it’s being processed. Not only that, it will no longer be enough to leave computer security to the CIO or the CISO, business leaders themselves will be held liable if there’s any breach of privacy.

And, here’s the sting: the penalties will hurt. The regulation proposes fines of up to two percent of global turnover or a million euros; a considerable increase over the current levels.

At the moment, much of the debate over European data protection law has been confined to the closed circle of international lawyers, but when it comes into force, there will be an urgent need for businesses to tighten their processes or face the consequences. If not, there will be a heavy price to pay. And then it won’t be such an arcane discussion after all.


« Why did Google choose Puerto Rico for its modular phones?


Happy Australia Day »
Max Cooter

Brighton, England-based Max Cooter has spent about 25 years writing about technology, when not obsessing about his beloved Brighton and Hove Albion football and Sussex cricket teams

  • Mail


Do you think your smartphone is making you a workaholic?