An Assessment of the Draft Data Protection Regulation: Does it Effectively Protect Data?

An Assessment of the Draft Data Protection Regulation: Does it Effectively Protect Data?

Luke Danagher [1]

Cite as: Danagher, L., 'An Assessment of the Draft Data Protection Regulation: Does it Effectively Protect Data?' European Journal of Law and Technology, Vol. 3, No. 3, 2012

1. Introduction

Data protection is becoming one of the fastest growing areas of European Union (EU) law. In the last forty years, data protection has progressed from a marginal national concern to one of the fundamental goals of the EU. This explosive growth has continued due to the unprecedented success of the internet. However, evolving technology and the ubiquitous nature of computing have created countless problems for the protection of personal data. As a consequence, a pan-EU approach to data protection was required if data subjects were to ever enjoy a meaningful level of data protection in the EU. Accordingly, the EU has enjoyed considerably more competence in the area of data protection since the field's conception.

The primary aim of this paper is to assess the recently proposed draft Regulation on data protection. [2] Recent calls for reform have not been unheeded by the Commission and as a result, in early 2012, the Commission announced that it was seeking to radically reform the current data protection regime through the introduction of a new, all-encompassing Data Protection Regulation. This paper will attempt to answer the question of whether data protection laws can be 'practically enforced in the transnational, borderless, information-dense world the internet has now created?' [3] In doing so, the discussion will centre on, not only the substantive provisions of the Regulation, but also the theoretical and political implications of the reform. This discussion will illustrate that the proposed Regulation creates numerous problems of its own. Therefore, it will be argued that numerous revisions should be made to the Regulation prior to its enactment. If the Regulation was to come into force in its current form, it could create more problems than it rectifies.

The paper will culminate in arguing that the proposed Data Protection Regulation be amended in several areas prior to its final promulgation as at present, it fails to provide data subjects with an adequate level of protection in the borderless, information-dense world that the internet has created. Data protection is now a fundamental goal of the EU and it should be treated with the appropriate level of respect by EU bodies. While the proposed Regulation builds on the success of the current Directive, it nonetheless presents a flawed approach to the protection of personal data in its current form. Therefore, it will be argued that the proposed Regulation be amended so as to take account of the issues highlighted throughout this paper. If such amendments are made, the proposed Data Protection Regulation could provide EU based data subjects with an unparalleled level of protection. A higher level of data protection will naturally encourage data subjects to relinquish control of their data to third parties. This will facilitate the free and easy trade of data across the EU. Such trade is vital for the economies of EU Member States and it will be the proposed Data Protection Regulation which allows the single market to continue to grow in a technologically evolving world.

2. Data Protection Regulation

The Commission considers that the implementation of a new single law on data protection will rectify many of the problems evidenced in the operation of the current Data Protection Directive 95/46/EC and save businesses approximately €2.3 billion per annum by removing the administrative burdens associated with the current data protection regime. [4] These goals are to be achieved through substantive changes to the current law and by replacing the current Directive with a Regulation. With 72 per cent of internet users in Europe worrying that they are being asked for too much personal data online, it appears that individuals across the EU need further reassurance that their personal data will not be misused or abused by data controllers, particularly online. [5] Without further reassurance, internet use may decline, particularly in areas where vast amounts of personal information are required e.g. online shopping and social networks. Internet users need stronger rules governing the use of personal data and the proposed Data Protection Regulation seeks to provide such rules.

2.1 Prior to the Regulation's Announcement

The Commission has progressed the current reforms in a transparent manner. In 2009, it initiated public consultations on data protection and engaged in debate with stakeholders. [6] [7] On 4 November 2010, the Commission published a Communication which outlined the main themes of the reform. [8] It also engaged in consultation with the European Data Protection Supervisor and national data protection authorities in an effort to 'explore options for more consistent application of EU data protection rules across all EU Member States.' [9] The transparent approach taken by the Commission has allowed both national authorities and those who will be most affected by the reform to voice their opinions. Such an approach is to be commended as it ought to make for more acceptable reforms which are not too far removed from the complexity of the application of data protection rules in the real world.

2.2 From a Directive to a Regulation

One of the most obvious changes to be introduced by the proposed reform is the move away from a non self-implementing Directive to a Regulation which will have direct effect. This change in legal status was primarily chosen in an attempt to prevent data protection rules being implemented in diverging fashions across the EU. The lack of harmonisation across the EU in the field of data protection is the greatest flaw of the current regime and the move to a Regulation aims to rectify this situation. It remains to be seen whether the move to the use of a Regulation in this area will be problem free. However, it does pose some problems at a theoretical and practical level.

The choice of a Regulation appears to be an obvious one to most as it effectively eliminates many of the problems caused by the lack of harmonisation under the current Directive. However, some Member States (e.g. Germany) may be reluctant to agree to the use of a Regulation because they consider their national laws to be currently providing a higher level of data protection than the proposed Regulation. In addition, '[t]he draft proposal may even be challenged in court… the legality of the proposal has been questioned in light of German constitutional law.' [10] Conversely, in the United Kingdom, their current laws are considered to be less burdensome for business. This was done in an effort to encourage foreign investment from outside the EU. Therefore, agreeing to the Regulation could result in a decrease in commercial investment in the United Kingdom, particularly from US based undertakings.

While some Member States may view the move to a Regulation in this area as controversial and it will undoubtedly be hotly debated in the Council of Ministers, it is argued that the move 'will probably find support in the European Parliament.' [11] Notwithstanding the constitutional issues which some Member States may have with the move to a Regulation, the move should be welcomed. The move to a Regulation will provide a stable platform for the uniform implementation of data protection laws across the EU. Harmonisation across the EU is improbable without the adoption of a Regulation. This adoption would prove to be highly beneficial to both data controllers and subjects in the coming years as many of the difficulties associated with the lack of harmonisation in this area would be eradicated. [12]

2.3 Substantive Changes

According to Kuschewsky, '[t]he reform will build upon well-established principles of the existing regime, but will also give it some much-needed teeth, making it more burdensome and hard-hitting for businesses and organisations.' [13] The majority of the changes are aimed at reforming the way in which large undertakings (over 250 employees) process data. The burden on small and medium enterprises will be lessened by a number of exemptions applying to them. Similarly, numerous exceptions also apply to the processing of personal data by public authorities.

2.4 Public Authorities

Most notably, the processing of personal data by competent public authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences is to be governed by a more specific legal instrument at Union level. [14] This legal instrument has not yet been drafted but should be in place prior to the enactment of the Data Protection Regulation. Accordingly, the draft Regulation does not apply to processing activities carried out by public authorities for criminal law purposes. Such a decision is welcomed as the Regulation needs to be drafted in a general manner in many areas so as to make it technologically neutral. However, such generalities could prove to be disastrous if the Regulation applied to criminal law matters.

While the legitimate interests of a data controller may provide a legal basis for processing, this legal ground does not apply to public authorities. This exception is justified on the basis that it is for the national legislator to provide by law the legal basis for public authorities to process data. [15] This limitation effectively curtails the amount of processing which a public authority can carry out without explicit legislative authorisation. It also allows Member States to establish the processing abilities of their public bodies rather than having a uniform level across the EU. This exception effectively reduces the amount of personal data which a public authority can process, whilst simultaneously providing Member States with the ability to choose the level of processing which can be carried out by public authorities.

In addition, public authorities of third countries which offer goods/services to data subjects in the EU or monitor their behaviour do not have to designate a representative in the EU. [16] This appears to be a practical concession because if all such public authorities had to designate a representative in the EU, the number of representatives would be extremely high. Also, many national governments could view the designation of a representative as overly burdensome and unnecessary. With the aforementioned exceptions in mind, the key changes to be introduced by the Regulation will now be outlined. The following areas have been chosen as they are considered to be the most portentous reforms contained in the Regulation. It is the following reforms which will decide whether the proposed Regulation will effectively protect data in the EU during the coming years and beyond.

2.5 Right to be Forgotten

The Regulation contains a strengthened 'right to be forgotten'. [17] It provides that a data subject has a right to obtain from the data controller the erasure of personal data pertaining to them where:

  1. The data was acquired while the data subject was a child (under the age of 18). [18]
  2. The data is no longer required for its original purpose. [19]
  3. The data has been stored beyond the consented to period of time. [20]
  4. The data is used for direct marketing purposes. [21]

The right to be forgotten also enables the data subject to request a data controller, who has made their personal data public, to inform third parties who are processing the data, that the data subject wishes them to erase all links to or copies of the personal data. [22] In addition, Article 17 (3) provides that a data controller must now prove why they need to keep an individual's personal data, rather than the current scenario where a data subject must prove that the collection of their data is unnecessary. In a world of user generated internet content which is most popularly accessed via internet search engines, the draft Regulation's 'right to be forgotten' appears to create more problems than it solves. As more and more of an individual's personal data is disseminated across the internet, the right to be forgotten appears to be a useful tool for compelling an undertaking to erase personal data which is no longer required, acquired when the data subject was under the age of 18, has been held beyond the consented to time, or is used for direct market purposes. [23]

However, the 'right to be forgotten' puts internet search engines in a troublesome predicament. 'Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication.' [24] This means that an internet search engine may become responsible for the erasure of personal data which was posted by a third party but is accessed through the search engine. Further difficulties arise in the case of social networking sites. [25] For example, unflattering information on a data subject is posted by the data subject themselves on a social networking site, which is subsequently copied and re-posted on a stranger's website. After deleting their original post, the data subject finds the post on a stranger's website. Evidently, the role of data processor and controller is blurred in this example. However, it appears that under Article 17(2) of the Regulation, the data subject will now be able to hold the internet search engine/ social networking site responsible for the publication of this information and demand that all links to the data be erased. This very probable example highlights that under the newly strengthened 'right to be forgotten' provision, data subjects can request the erasure of their personal data which was originally made public by them but later republished by a third party. Astonishingly, it appears that an internet search engine which merely provides a link to the third party's page may become responsible for the deletion of all links to the data posted by the third party with whom the internet search engine has no affiliation.

This is clearly not a desirable situation as it not only allows false data to be erased but also data which is true, but unflattering to the data subject. The possibility that internet search engines could be held accountable for the erasure of links to websites which post such data could easily be abused and lead to a high level of censorship on the internet. Accordingly, a revision of the 'right to be forgotten' is called for. In particular, greater clarification on the accountability of internet search engines and social networking sites is required. It is worth noting that the inclusion of a 'right to be forgotten' merely aids data subjects after the damage is done. [26] By the time the right can be relied upon, the data in question has been processed. Accordingly, it is argued that the 'right to be forgotten' does not present any major benefits to data subjects, but merely creates further (unnecessary) burdens for commercial entities. While it could be argued that the 'right to be forgotten' may represent a paradigm shift towards the greater protection of data in light of the business models of social networking sites and internet search engines, it is argued that the 'right to be forgotten' is too vague in its current form and needs to be further clarified if it is to truly bestow greater protection on data subjects. [27]

2.6 Consent

Under the draft Regulation, data controllers bear the burden of proof for the data subject's consent. [28] However, consent will not be sufficient to allow the processing of an individual's personal data where there is 'a significant imbalance between the position of the data subject and the controller.' [29] In addition, a declaration of consent for the processing of personal data must be presented by a data controller in a distinguishable manner from all other communications between the two entities. [30] This is particularly important in the online environment. [31] Under the Regulation, consent cannot be lawfully obtained if it is hidden within a check-box that discusses numerous other issues. Rather, a data subject's consent must be obtained by them agreeing to a consent statement which is separate and distinct from all other information presented to them.

This rather stringent provision is diluted by Article 6 (1) (b-f) and Article 6 (2), which provide numerous situations where processing may occur absent the explicit consent of the data subject. These bear considerable resemblance to the exceptions contained in Article 7 of the current Data Protection Directive. Under the Regulation, consent is not required for processing to occur if:

  1. Processing is necessary for the performance of a contract between the data subject and the data controller;
  2. Processing is necessary for compliance with a legal obligation to which the data controller is subject;
  3. Processing is needed in order to protect the vital interests of the data subject;
  4. Processing is necessary for the performance of a task carried out in the public interest;
  5. Processing is required for the purpose of the legitimate interests pursued by a controller.
  6. Processing is necessary for the purpose of historical, statistical or scientific research.

The increased burden on data controllers to present declarations authorising the processing of personal data to a data subject in a distinguishable manner from all other communications between the two entities is to be commended. Without such a provision, declarations of consent can be hidden amongst pages of terms and conditions. This is a particular issue given the ubiquitous nature of computing in the modern information-dense world. The presentation of consent declarations in a clear and intelligible manner will encourage trust amongst data subjects in relation to how their data is being acquired over the internet. Such trust is crucial if the internet is to be utilised to its full potential. This would undoubtedly be beneficial to data controllers and subjects alike as it would increase revenue for undertakings offering online services and it would encourage cross-border trade between individuals and undertakings. While this provision appears to be a simple addition to the current approach, it should nonetheless greatly improve the current online situation where most people do not feel that they are in control of their personal data. [32]

2.7 Transfer of Personal Data to Third Countries

The proposed Regulation aims to extend the scope of the current Directive beyond the territorial boundaries of the EU. The Regulation seeks to cover undertakings not based in the EU and with no discernible operations in the EU. Under Article 3 (2), the Regulation will apply to undertakings not established in the EU 'where the processing activities are related to: (a) The offering of goods or services to such data subjects in the Union; or (b) The monitoring of their behaviour.' [33] It should also be noted that under the above situation, the data controller must designate a representative in the EU. [34] Whether the appointment of an EU based representative will enable data subjects in the EU to readily enforce their rights against errant undertakings operating in a third country is unclear. In addition, the extra-territorial dimension of the Regulation could prove to be highly controversial.

The conferring of rights and the ability to readily enforce them are two radically different things. While data subjects can expect EU based undertakings to respect the provisions of the Regulation in the processing of their personal data, the same expectations cannot apply to data controllers outside the reach of EU law. While the Regulation professes to apply to non-EU based undertakings where they process the personal data of EU based data subjects, the sanctions contained within the Regulation cannot be effortlessly enforced. While large undertakings with permanent operations in the EU will most likely accept the imposition of fines for their non-compliance with the Regulation, undertakings which are more readily able to abandon their EU based operations may not accept the fines and would ultimately remain unpunished for their breaches of the Regulation. [35] While this situation is unlikely to be of major concern to most data subjects, it nonetheless requires further attention by the Commission in order to bolster data subjects' rights and make such rights more readily enforceable.

2.8 Safe Harbour

Given the high level of criticism the Safe Harbour Agreement has received since its implementation, it is perhaps surprising to note that the Agreement has not been altered by the draft Regulation. [36] From a commercial point of view, this appears to be a major flaw. A revision of the Safe Harbour Agreement could have allowed it to become a more widely accepted method of transferring personal data between the EU and the US. In its current form, the Safe Harbour Agreement provides a lower level of data protection than is acceptable in the EU. From an American perspective, the Safe Harbour Agreement exposes undertakings to liability where there would ordinarily be none. Therefore, the Safe Harbour Agreement is best seen as a poor attempt at bridging the gap between EU and US data protection norms. As such, neither party is happy with the current arrangement. Perhaps if the Safe Harbour Agreement was amended so as to provide a level of protection akin to that offered in the EU, at least data subjects would be better protected and one party to the Agreement would be content. However, the retention of the Safe Harbour Agreement in its original form by the Commission is highly telling. Put simply, the Safe Harbour Agreement is a powerful leveraging tool. It effectively demands that US undertakings adopt an EU-style data protection system or have personal data transfers to them made illegal.

While the extension of EU-style data protection laws beyond the borders of the EU appears to be a goal of the Commission, the Safe Harbour Agreement has proven to be of little value in encouraging the US to adopt such a data protection regime. Using the Safe Harbour Agreement as a tool to create an EU-style data protection regime in the US appears to be a highly flawed goal and one which ought to be abandoned by the Commission. Attempts at coercion will ultimately fail. This is primarily because the US does not need the EU's symbolic stamp of approval for it to be content with its data protection regime. [37]

2.9 Sanctions

The sanctions which may be imposed on a non-compliant undertaking are extensive under the draft Regulation. National supervisory authorities are empowered to impose administrative fines on errant undertakings. [38] These can range from a fine of up to 0.5 per cent of an undertaking's annual worldwide turnover (not to exceed €250,000) for a minor infringement, up to 2 per cent (not to exceed €1,000,000) for more serious offences. [39] However, the deterrent effect of these sanctions on the largest conglomerates in the world appears to be minimal. By placing a cap on fines which is much lower than many of the record fines imposed on undertakings for breaches of competition law, the Commission has presented data protection as less important than the protection of competition on the market. This is despite both being of fundamental importance to the future growth of the single market. When the record fine of €497,196,304 which was imposed on Microsoft by the Commission is compared with the upper limit of €1,000,000 for data protection infringements, the protection of data in the EU appears to be less of a concern than the protection of competition.

While the use of fines as a sanction for the misuse of personal data is welcomed, the cap of €1,000,000 for the most serious offences is not. With its new legal standing, data protection is analogous to competition law in that the promotion of both is fundamental to the growth of the single market. However, placing such a low cap on possible sanctions axiomatically presents data protection as inferior to the protection of competition. In accordance therefore, undertakings may view data protection as a lesser concern. Additionally, the imposition of a fine of €1,000,000 on some of the largest undertakings in the EU would hardly be a blip on their radar. Consequently, data protection issues may not receive the attention they would if the possible fines were increased to a more significant level.

However, a cap on the level of possible fines should be retained, albeit at a higher level. Given the importance of data protection in the EU, it is suggested that a cap on fines in line with that proposed by the Office of Fair Trading in cartels cases (10 per cent of annual turnover) be applied. [40] This would naturally be on a decreasing scale which would be dependent on the severity of the data breach and other mitigating factors. The cap on fines should be in line with those of competition law as both are essential for the future growth of the single market. Evidently, the creation of a cap on possible fines requires a balancing act. At present, it appears as though the balance has swung in favour of large undertakings to the detriment of individual data subjects whose personal data may be misused because the deterrent level of sanctions is too low.

2.10 Privacy by Design

The Regulation provides for a principle of data protection by design and by default. [41] Under this principle, data controllers will be obligated to provide data subjects with the highest level of data protection by default. It is at the data subject's discretion whether to reduce their personal level of protection by opting-out of particular safeguards. According to Article 23 (1), an undertaking must ensure that only necessary personal data is processed and that it is for a specific purpose. Such data must not be retained beyond the minimum time required for such processing and that this data is not made accessible to an indefinite number of individuals. In essence, Article 23 requires data controllers to provide data subjects with the highest level of data protection by default and the level of protection can only be eroded with the explicit consent of the data subject. Naturally, this requirement can only be enforced once due regard has been paid to the state of the art and the cost of implementing appropriate technical and organisational measures. [42] If the cost of implementing a principle of data protection by design in a particular undertaking is inordinately high, or if the highest level of data protection could not be included by default, due to technical reasons when the good/service was offered, then the data controller cannot be held liable.

The Commission views the draft Regulation as being highly beneficial to EU based undertakings by consolidating existing rules, creating a uniform set of data protection rules across the EU, and by reducing the bureaucratic inefficiencies of the current regime. In return for these benefits, undertakings must integrate 'privacy by design' principles into their business process. [43] The addition of a principle of data protection by design and default is particularly welcomed. It should prove to be highly beneficial to data subjects, particularly in the area of social networking websites. With the highest level of data protection being provided to data subjects by default, many social network users can rest assured that the current confusing privacy settings of social networks will have to be overhauled to provide users with the highest level of data protection automatically. It will be at the data subject's discretion whether to reduce their personal level of protection and not vice versa. Given that at present only 26 per cent of social network users in the EU feel in complete control of their data, the introduction of a principle of data protection by default is definitely required. [44]

2.11 Processing of a Child's Personal Data

In addition to the higher level of protection afforded to sensitive personal data such as a person's race, religious beliefs or criminal conviction, all data which relates to a child below the age of 13 years is further protected by the requirement that the child's parent or custodian gives their consent to the processing. [45] While this provision is commendable, the Regulation does not specify the criteria and requirements for the giving of valid and verifiable consent. In particular, how such consent is to be obtained by small and medium enterprises is unknown. While further clarification is anticipated in the form of delegated Acts, extensive discussion on this subject appears futile without further clarification by the Commission. [46]

2.12 Data Protection Officers

Undertakings are further burdened by Article 35, which provides that a data controller or processor must designate a data protection officer where:

  1. 1. The processing is carried out by a public body;
  2. 2. The processing is carried out by an enterprise employing 250 persons or more;
  3. 3. The processing involves the regular and systematic monitoring of a data subject.

The draft Regulation attempts to mitigate the stringent nature of this provision by permitting a group of undertakings to appoint one data protection officer to monitor the entire group. [47] This concession can also apply to public bodies, depending on their organisational structure. [48]

The role of a data protection officer is a taxing one. The Regulation outlines in detail the tasks which a data protection officer is to be entrusted with. These include; advising the data controller/processor on their legal obligations under the Regulation, ensuring that the requirement for data protection by default is maintained and that data subjects can exercise their rights under the Regulation, and to notify all data breaches to the supervisory authority and the data subject. [49] Under Article 35, private undertakings with more than 250 employees must employ a data protection officer. Not only is the role of data protection officer a particularly complex one but, data protection officers will also have to be extensively trained and experienced in data protection law if they are to fulfil their duties effectively. The appointment of data protection officers poses certain considerable problems.

At present, there is a dearth of adequately trained persons working in the field of data protection. Prior to this Regulation, there was no need for large amounts of individuals to be trained in data protection law. However, the draft Regulation clearly changes this position dramatically. Consequently, it appears highly improbable that a sufficient number of data protection officers will be available for appointment prior to the promulgation of the Regulation. This will leave numerous undertakings in the precarious position of being in breach of the Regulation. Accordingly, it is argued that a coordinated effort between the Commission and commercial undertakings based in the EU is required if data protection officers are to be appointed within time. Data protection is a complex area of law and as a consequence, future data protection officers need to be trained to a high level before they accept commercially responsible positions. Such training takes a large amount of time and therefore, it is argued that the Commission should begin its efforts to promote data protection as a field of study sooner rather than later.

3. Other Notable Changes

The previous discussion has outlined the primary changes to be introduced by the draft Regulation. However, numerous other modifications are contained within the proposed Regulation and these will now be outlined. In relation to the processing of sensitive data, the Regulation now includes the processing of genetic data under the umbrella of sensitive data. While this change is welcomed, the omission of an individual's finances from this category is still perplexing. While financial information can be considered distinct from 'traditional' sensitive data i.e. it does not relate to an individual's physical state or beliefs, the protection of an individual's financial standing would nonetheless be considered by most to be of paramount importance and as a consequence, the omission of this category from the list of sensitive data appears to be a mistake on the part of the Commission. [50]

The provisions surrounding the right of access for a data subject have also been revised. [51] They are now presented in a much more detailed, clear, and coherent manner. While it bears considerable resemblance to the current Directive, the proposed Regulation provides a data subject with the right to be informed of the significance and envisaged consequences of the processing of their personal data. A data subject is also to be provided with information outlining the period for which their personal data will be stored. Additionally, a data subject must be provided with information by the data controller on their right to lodge a complaint with the relevant supervisory authority. While the changes in this area are not as significant as others, they nonetheless clarify the law, especially as it relates to a data subject. Given the amount of data which is disseminated across the world by individuals, clarification of the law as it relates to individual data subject's rights is to be welcomed.

Additional clarification on the requirements of a data controller engaged in the processing of personal data which, by virtue of its nature or scope, poses a considerable threat to the fundamental rights and freedoms of a data subject has been provided by Article 33. Threats to an individual's freedoms include the processing of sensitive information, financial information, information on children, and monitoring public areas (particularly when using video surveillance devices). In such circumstance, the controller is obliged to carry out an assessment of the impact of the envisaged processing and provide adequate safeguards. It is evident in this case that the requirement to provide a high level of data protection is considered to be more important than reducing bureaucratic inefficiencies and increasing business efficacy.

3.1 Notification of a Breach

Another provision of the Regulation which could receive mixed reviews if implemented is Article 31. Under Article 31, data controllers must notify the supervisory authority of a personal data breach within 24 hours. Given the severity of fines which can be imposed for a personal data breach, it could be argued that the time limit is too short and it places too high a burden on data controllers. On the contrary, it is argued that the deadline for notification is made intentionally short by the Commission in an effort to keep data protection to the fore of a data controller's agenda. In this light, the limited notification time appears to be highly beneficial for data subjects as it obliges data controllers to consistently maintain a high level of data protection. Therefore, while undertakings may view this requirement as being overly burdensome, it should nonetheless be retained in the final version of the Regulation. In this situation, an individual's right to data protection should not be overshadowed by the desire on the part of undertakings to reduce their administrative burdens. Data protection should be at the top of many undertakings' agenda and the requirement to notify a breach within 24 hours serves to maintain the importance of data protection in the commercial world.

In addition, this reduced timeframe seeks to address the 'reactive' nature of current data breach notification requirements. [52] Undertakings are required to notify a breach, but the incentive to prevent such a breach is low under the current approach. By reducing the permissible notification period, it would be in an undertaking's best interest to prevent data breaches from occurring altogether as the short timescale may make undertakings afraid of failing to notify in time. While it has been argued that data breach notification requirements 'impose high compliance costs on relatively few businesses while providing only weak incentives to most businesses to make major changes in the security of their information systems', it is argued that the 24 hour time-limit should be retained. [53] The increased cost to undertakings is minimal when compared with the catastrophic consequences of data breaches, particularly where the security of sensitive data is breached. In addition, the prevention of data breaches should be top of an undertaking's agenda as the ultimate '[d]isclosure of a security breach tarnishes a company's public image.' [54] Evidently, the protection of personal data is beneficial to both individuals and major undertakings alike and the 24 hour notification period serves to ensure that data is protected in a proactive rather than a reactive manner.

3.2 Overview of the Changes

Evidently, the Commission aims to introduce new data protection rules which will radically overhaul the current position in many areas. The draft Regulation seeks to eradicate many of the flaws of the current system, whilst concurrently ensuring that data protection laws do not overshadow an individual's right of freedom of expression. [55] Any attempt at radically reforming such a broad and technical area of law will naturally pose numerous problems and the draft Regulation is no exception. The Regulation contains several areas which are in need of further consideration by the Commission if it is to become the benchmark for worldwide data protection over the coming centuries.

The Draft Regulation will now be discussed in both the Council and the Parliament. Its adoption is only possible through co-decision with a majority in favour of adoption in each house. The Regulation is most likely to come into force around 2015. Given the complexity of the debates which will surround the Regulation's adoption, it is unsurprising that the Regulation will take a few years to enter into force. The draft Regulation seeks to govern data protection for the foreseeable future and as such, its adoption should not be rushed. The opinions of governments, captains of commerce, and independent advisory bodies will most likely be sought prior to the enactment of the Regulation. [56] This will ultimately result in changes being made to the Regulation, with each side making concessions in order to benefit from changes elsewhere in the Regulation. It is hoped that the changes made to the draft Regulation will coincide with those previously discussed. However, given the strong stance taken by EU bodies with respect to data protection, it is argued that very few concessions will be made for the sake of business efficacy. The EU seeks to provide individuals' with the highest level of data protection and this goal will not be altered easily by pleadings from commercial entities that the proposed Regulation is overly burdensome on them.

4. Conclusion

While data protection laws apply to analogue and manual processing as well as digital forms of processing personal data, the internet is undoubtedly posing the greatest number of problems for the protection of personal data in the EU. This paper has attempted to answer the question of whether data protection laws can be 'practically enforced in the transnational, borderless, information-dense world the internet has now created?' [57] Data protection as a field of law has progressed rapidly since its humble beginnings in the early 1970s. It has moved from being an area of law which is purely of national concern to being an area which merits the highest level of attention by the EU.

However, data protection finds itself in the precarious position of having to balance an individual's right to have their personal data protected, whilst also fostering EU undertakings in a global marketplace. The primary and current vehicle utilised by the EU to achieve this goal is the Data Protection Directive. Despite its forward thinking nature and its technologically neutral stance, the Data Protection Directive is undoubtedly beginning to show its age. With the introduction of the Lisbon Treaty, the EU Charter of Fundamental Rights became legally binding. In particular, Article 8 thereof, which provides for a right of data protection, is now legally binding in the EU. In accordance therefore, data protection has now become a fully fledged policy of the EU and its position has been further solidified due to its inclusion in Article 16 of the Treaty on the Functioning of the European Union. As a result of this change in legal status, there was a need for the current law to be reformed in order to provide data subjects with a high level of data protection and for the single market to operate more efficiently.

As a result, the Commission published the draft Regulation on data protection in early 2012. Its primary aim is to reduce many of the inefficiencies evidenced under the current approach to data protection in the EU. The move from a directive to a regulation was a key but controversial decision by the Commission. In addition to this change in legal status, many of the provisions of the current Directive have been altered in the proposed Regulation. The draft Regulation is clearly a major statement by the Commission; data protection is a primary concern of the EU and its promotion is imperative to the future growth of the single market.

Despite the need for reform being of crucial importance, the draft Regulation is not a perfect solution to all the problems of the current regime. As evidenced previously, the draft Regulation, in its attempt to resolve many of the problems of the current regime, creates entirely new difficulties for both individual data subjects and international conglomerates alike. It has been argued therefore, that the current draft Regulation be amended prior to its enactment so as to take account of its numerous failings as highlighted in the previous discussion. However, the draft Regulation generally represents a major leap forward for data protection in the EU. It provides a more readily understood set of rights for data subjects and in most areas, the obligations of data controllers are set out in a clear and intelligible manner. Furthermore, the draft Regulation appears to generally reflect the information-dense world in which data now flows (relatively) freely across national borders.

While the draft Regulation appears to be a commendable attempt at reforming this complex area of law, it nonetheless serves to illustrate one of the primary flaws of modern EU legislative action. Recent reforms appear to be major overhauls of areas of law rather than subtle tweaks. This approach can not only prove to be highly controversial in many Member States, but it also creates flawed legislation. The pursuit of perfection can often prove to be an endless journey and this is especially true when it comes to law. The dexterity and precision of a seamstress' needle is more often required than the unwieldy blow of a broad sword. The major overhaul of an area of law can create unforeseen and often catastrophic problems. Many of the issues previously highlighted stem from the fact that the Commission attempted to reform this dense area of law in one fell swoop. It is argued accordingly that the Commission ought to carry out future reforms in a more piecemeal manner. This would make reforms more palatable for reluctant Member States and would allow the Commission to adjust future reforms in light of the performance of previous attempts at reform. Therefore, less contentious issues such as the imposition of fines, providing children with a higher level of protection, and privacy by design should be introduced first. This would allow flaws in the law to be addressed more readily and it would allow discontented undertakings to adjust to the reforms over a period of time instead of being 'hit' with a mass of reforms in one blow. Accordingly, it is argued that contentious reforms such as those relating to the transfer of data to third countries and the 'right to be forgotten' be left until last. Such reforms are most likely to receive opposition and given their possible ramifications, more time is needed in order to assess all the possible consequences of these reforms. Rushing through reforms in these areas is a mistake and the unforeseen errors of today could well lead to the foreseeable disasters of tomorrow.

Notwithstanding the rather cumbersome approach taken by the Commission, the draft Regulation on data protection is broadly welcomed in its current form. It should alleviate many of the problems caused by the lack of harmonisation under the current Directive. In addition, the proposed Regulation builds on the current Directive's success and provides data subjects with stronger rights and affords their personal data one of the highest levels of protection in the world. Furthermore, if the changes proposed throughout the paper are made, then the draft Regulation should prove to be extremely efficient at protecting the personal data of individuals across the EU.

If the aforementioned problems are addressed prior to the enactment of the proposed Regulation, it could prove to be an unequivocal success. However, if the Regulation is not amended prior to enactment, it could further perpetuate the failings of the current regime and create altogether new and more devastating problems. In conclusion, it is strongly argued that the next few years be used to refine the draft Regulation in order for it to reach its full potential. If the Regulation is amended accordingly, it could serve as a beacon for non-EU countries and the exportation of EU data protection rules across the globe could become a reality. The EU data protection regime would then truly reflect the information-dense, borderless world in which we live.



[1] Luke Danagher is a recent LLM graduate from the University of Limerick. His current research interests are in the fields of data protection, EU competition law, criminal cartels, EU criminal law and comparative competition law.

[2] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final

[3] Lilian Edwards, 'Privacy and Data Protection Online: The Laws Don't Work?' in Lilian Edwards and Charlotte Waelde (eds), Law and the Internet (3rd edn, Hart 2009) 443

[4] Commission, 'Safeguarding Privacy in a Connected World: A European Data Protection Framework for the 21st Century' COM (2012) 9 final, 8

[5] Special Eurobarometer 359, 'Attitudes on Data Protection and Electronic Identity in the European Union' (June 2011), 23

[6] Commission, 'Public Consultations' <http://ec.europa.eu/justice/news/consulting_public/news_consulting_0003_en.htm> accessed 3 July 2012 and Commission, 'Public Consultations' <http://ec.europa.eu/justice/news/consulting_public/news_consulting_0006_en.htm> accessed 4 July 2012

[7] Commission, 'Safeguarding Privacy in a Connected World: A European Data Protection Framework for the 21st Century' COM (2012) 9 final, 3

[8] Commission, 'A Comprehensive Approach on Personal Data Protection in the European Union' COM(2010) 609 final

[9] Commission, 'Safeguarding Privacy in a Connected World: A European Data Protection Framework for the 21st Century' COM (2012) 9 final, 3; see also Article 29 Working Party, 'Other Documents' <http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/index_en.htm> accessed 3 July 2012

[10] Monika Kuschewsky, 'Sweeping Reform for EU Data Protection' (2012) 112 European Lawyer 12, 14

[11] Peter Hustinx, 'Review of the EU Framework for data Protection- The Current State of Play' (Emerging Challenges in Privacy Law: Australasian and EU Perspectives Conference, Melbourne February 2012) <http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/Publications/Speeches/2012/12-02-24_Videomessage_Melbourne_EN.pdf> accessed 22 June 2012, 3

[12] See further: Fiona Carlin, 'The Data Protection Directive: The Introduction of Common Privacy Standards' (1996) 21 European Law Review 65

[13] Monika Kuschewsky, 'Sweeping Reform for EU Data Protection' (2012) 112 European Lawyer 12, 12

[14] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final, para 16

[15] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final, para 38

[16] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final , Article 25 (2)(c)

[17] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final, Article 17

[18] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) Article 17 (1) and Article 4 (18): Note also the higher protection afforded to children under the age of 13 by Article 8.

[19] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final , Article 17 (1) (a)

[20] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final, Article 17 (1) (b)

[21] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final, Article 17 (1) (c) and Article 19 (2)

[22] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final, Article 17 (2)

[23] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final, Article 17 (2)

[24] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final, Article 17 (2)

[25] Richard Jones and Dalal Tahri, 'An Overview of EU Data Protection Rules on Use of Data Collected Online' (2011) 27 Computer Law and Security Report 630, 631

[26] Jef Ausloos, 'The 'Right to be Forgotten'- Worth Remembering?' (2012) 28 Computer Law and Security Report 143, 147

[27] Paul Bernal, 'A Right to Delete?' (2011) 2 European Journal of Law and Technology 1

[28] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final, Article 7(1)

[29] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final, Article 7 (4)

[30] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final , Article 7 (2)

[31] See further: James Grimmelmann, 'Saving Facebook' (2009) 94 Iowa Law Review 1137

[32] See generally: Special Eurobarometer 359, 'Attitudes on Data Protection and Electronic Identity in the European Union' (June 2011)

[33] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final, Article 3 (2)

[34] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final , Article 25 (1)

[35] Note for example the acceptance of Microsoft of the EU imposed fine in Case T-201/04 Microsoft v Commission [2007] ECR II-000

[36] For a discussion on this area see: Steven Salbu, 'The European Union Data Privacy Directive and International Relations' (2002) 35 Vanderbilt Journal of Transnational Law 655, 678- 680; Mike Ewing, 'The Perfect Storm: The Safe Harbour and the Directive on Data Protection' (2002) 24 Houston Journal of International Law 315, 336- 338

[37] Michael Birnhack, 'The EU Data Protection Directive: An Engine of a Global Regime' (2008) 24 Computer Law and Security Report 508, 517

[38] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final, Article 79 (1)

[39] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final , Article 79 (3)-(6)

[40] Office of Fair Trading, 'OFT's Guidance as to the Appropriate Amount of a Penalty' (2012) <http://www.oft.gov.uk/shared_oft/business_leaflets/ca98_guidelines/oft423.pdf > accessed 01 October 2012

[41] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final, Article 23

[42] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final, Article 23 (1)

[43] Commission, 'How Will the EU's Data Protection Reform Benefit European Businesses?' (2012) <http://ec.europa.eu/justice/data-protection/document/review2012/factsheets/7_en.pdf> accessed 21 July 2012, 2

[44] Special Eurobarometer 359, 'Attitudes on Data Protection and Electronic Identity in the European Union' (June 2011), 127

[45] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final, Article 8(1)

[46] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final, Article 8 (3); see also Article 86

[47] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final , Article 35 (2)

[48] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final , Article 35 (3)

[49] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final , Article 37 (1) (a)-(h)

[50] See: Karen McCullagh, 'Data Sensitivity: Proposals for Resolving the Conundrum' 2 Journal of International Commercial Law and Technology 190

[51] Commission, 'Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Regulation)' COM (2012) 11 final , Article 15

[52] Jill Joerling, 'Data Breach Notification Laws: An Argument for a Comprehensive Federal Law to Protect Consumer Data' (2010) 32 Washington University Journal of Law and Policy 467, 484

[53] Jane Winn, 'Are 'Better' Security Breach Notification Laws Possible?' (2009) 24 Berkeley Technology Law Journal 1, 3

[54] Lilia Rode, 'Database Security Breach Notification Statutes: Does Placing the Responsibility on the True Victim Increase Data Security?' (2007) 43 Houston Law Review 1597, 1624

[55] For an assessment of the current system see: Yves Poullet, 'EU Data Protection Policy. The Directive 95/46/EC: Ten Years After' (2006) 22 Computer Law & Security Review 206

[56] For example, the Article 29 Working Party.

[57] Lilian Edwards, 'Privacy and Data Protection Online: The Laws Don't Work?' in Lilian Edwards and Charlotte Waelde (eds), Law and the Internet (3rd edn, Hart 2009) 443