Dealing with data – The 'burden-less' business?

Sara Kelly of COADEC reviews Viviane Reding's latest proposals for EU Data Protection reform

Image: Viviane Reding. EU Social @Flickr. CC BY-NC-SA 2.0 licence

“Businesses will now be burden-less under these reforms”, announced Viviane Reding, Vice-President of the European Commission and EU Justice Commissioner, during the launch yesterday of reforms to the EU's 1995 data protection rules aimed at strengthening online privacy rights.

Leaked drafts of the directive have been circulating since December, and many of today's announcements were trailed in Reding’s speech to the Digital Life Design (DLD) conference in Munich last weekend. Key changes confirmed today include a single set of rules on data protection, the requirement of reporting data breaches within 24 hours, the requirement of explicit consent, and possibly most controversially, the “right to be forgotten”.

Amid reports ahead of the announcement of the burden of complicated procedures of data protection, Reding used her address today to highlight the burden on businesses in complying with 27 different data protection requirements across the EU. This has limited the ability of many businesses to operate services that deal with data in multiple countries, so harmonisation of these codes will be welcome by businesses of all sizes as a way of saving time and money. Moreover, the directive’s proposed exemption for companies with fewer than 250 employees from the requirement to have a data protection officer shows that the Commission is conscious of the particular challenges that small businesses face in complying with these types of rules.

That said, it is not at all clear that the new directive will eliminate burdens for small businesses, and indeed there appears to be significant potential to increase them. This is especially true on two fronts:

• The “right to be forgotten” principle has a very real danger of being misused, in a way that particularly affects the owners of small social websites that rely on content from users. The directive as it stands outlines that the only way a user will not be able to remove their data is when this relates to a criminal investigation. The “right to be forgotten” could easily become “the right to take content and sell it for more money when I think it might have more value than when I originally gave you the right to use it”.

• Meanwhile, the heavy fines proposed for non-compliance may fall disproportionately on smaller enterprises, and it is possible that an inadvertent error may be enough to put one out of business

Addressing issues of data security is of course vital, but it must be balanced against the very legitimate uses of data employed by innovative businesses—most notable, social networks. Globally we have increasingly enjoyed the liquidity of information that the Internet provides. A picture shared or a blog posted can reach a wider audience than ever before, and that has bought with it incredible opportunities for those wishing to share their content and those designing platforms to do this. 

The proposed directive will now be passed on to the European Parliament the Council of Ministers for discussion. We hope that these discussions will flesh out some of the details this directive desperately requires to ensure that the removal of one burden does not in turn lead to the creation of new ones, especially where the result would be detrimental to small, innovative businesses.

Sara Kelly is Policy and Development Manager for COADEC, The Coalition for a Digital Economy. COADEC works to support legislation and other government policies that foster a lasting, sustainable and innovative digital economy for Britain.