London, 9 December 2011
International companies operating in EU member states could be forgiven for dismissing the proposed changes to European data privacy law as the next step in the focus of the European Commission (“EC”) on reining in the power of Facebook, Google and other social media companies. They would, however, be missing the point.
A number of sources have reported comments made in the past week by the EC’s Vice President for Justice, Fundamental Rights and Citizenship, Ms. Viviane Reding, in which she suggests that the power of social media to target advertising based on users’ personal data should be restricted or, at best, fully disclosed to the user. The implication is that the EC may look to impose stricter rules on social media companies in the upcoming revisions to the 1995 EU Data Privacy Directive (“Directive”), to be announced next month.
“Ramp Up” of Regulatory Regime
Mark Child, Partner at Kingston Smith Consulting LLP, said today that companies trading within the European Union may need to closely examine the upcoming announcement in what may prove to be a “ramping up” of the EU data privacy regime – just when companies are looking to reduce their regulatory burden.
The proposals reportedly include a fine for companies breaching the Directive - up to 5% of their global turnover. The EC will also be asking companies with more than 250 employees to dedicate staff to data protection issues. In a move towards closer supervision from Brussels, companies will be required to report serious breaches of the Directive within 24 hours. Companies operating in multiple EU jurisdictions will be able to negotiate ‘Binding Corporate Rules’, where a company agrees to operate according to the data privacy rules in one jurisdiction – even though their operations span more than one member state.
Regulators Feeling Financial Pinch
Strapped for cash in the current economic environments, Brussels regulators are following their global counterparts. Typically, the first step is to identify breaches from media reports, civil litigation, competitor complaints or reports from local regulators. New rules are then imposed, updating expected standards and commercial behaviour. The next step is to launch high profile investigations, letting organisations know that the regulator means business. Finally, any breaches are usually resolved in the pre-trial phase through a lump sum payment – which in turn funds the regulators’ budget.
The EC has a track record of applying this approach to the Competition Law regime, which has resulted in billions of euros in fines for organizations such as Microsoft, Air France, Siemens and Pilkington.
It’s a new EU Regulation, Jim — But Not As We Know It
Child explains that “Data privacy has unique regulatory requirements. Many companies, in my experience, feel that their IT department has a complete understanding of data governance and, as long as they have attended an initial training session, all staff remain compliant. Monitoring takes place reasonably regularly, and the company reports breaches.
“But unfortunately data privacy is different to Health and Safety or the FSA Handbook. The company’s responsibilities include ensuring every external organisation which processes data on the company’s behalf abides by EU law – even if they are in Bangalore, Bermuda or Baltimore.
“The other threat comes from hackers looking for any weaknesses in the system. Their motives for stealing customer data may be financial, have political overtones or simply provide them with ‘street cred’ amongst other hackers. Other regulatory areas do not have the same external threats.”
Compliance Timeline
Every company should understand the implications of business decisions, such as moving to cloud services, on its data governance obligations under EU and international law. In addition to the EC Directive, there are a surprising number of other interacting statutes and standards which govern data privacy today, including for example: SOX; FSA Handbook; Data Protection Act 1998; HIPPA; ISO 27001 and BS10012.
One bit of good news: reports suggest that the EU is moving “quickly “on this matter – so expect to see an updated Directive signed into law around 2014.
Mark Child is a partner at Kingston Smith Consulting LLP (“KSC”).
His previous career largely compromised of freelance consultancy, which accounts for the fact that he has worked in 92 countries for circa 52 organisations. These include senior audit and governance roles at a number of FTSE-100 and Fortune 500 companies.
Mark has two degrees one in Economics and the other in Audit, Management and Consultancy. His qualifications include: Certified Information Systems Auditor, Six Sigma Black Belt, ISO 9001 Registered Lead Assessor, Member of the Institute of Internal Auditors and Project Management Institute. He is regularly invited to speak at conferences and events in the IT governance area.
KSC provides services in data governance; IT management; controls and assurance reviews; business continuity; compliance and audit staffing and operational risk.
View Mark’s full profile at /ksconsulting/people/mark_child.htm
Mark may be contacted on +44 (0)207 566 4000 or MChild@kscllp.co.uk
