Editor’s Note: Below is the outline of a UK case study in costing-out implementation of a data/privacy regulation. The British regulatory cost exercise demonstrates the need for US officials to ensure that regulatory cybersecurity burdens are minimized and fully justified by the benefits. Costs to corporations, states/localities/tribes, and the federal government need to be carefully considered. As CRE has noted, cost-effectiveness is the prerequisite for cybersecurity regulation.
TMT Legal Update: Justice Minister raises queries over UK cost of new EU Privacy Regulation
United Kingdom | TMT
09-05-2013
Précis
Justice Minister sets UK cost of new Privacy Regulation at up to £360m per year, contrasting with European Commission’s view that the Regulation would benefit the EU economy as a whole.
What?
The current EU Data Protection regime was agreed in 1995 and given the degree to which technology has developed since then, it has been likened to “an analogue regime for a digital world”. In order to reform the regime, the European Commission (the “Commission”) published plans for reforms in January 2012. The planned reforms would replace the current European data protection directive with new data protection legislation: an EU wide civil Regulation and a criminal Directive, introduced to harmonise data protection across the 27 member States.
The Ministry of Justice have released an Impact Assessment regarding the proposed new EU Data Protection Regulation. Lord McNally, the Justice Minister, announced to the House of Lords that the Regulation Impact Assessment predicted that the Regulation would cost the UK alone between £100m to £360m per year. This contrasted with the European Commission’s Impact Assessment which had estimated a €2.3 billion per year benefit for the EU economy as a whole.
So what?
The Commission plans to reform data protection laws across the European Community by putting in place the Regulation which aims to provide a uniform data protection regime across the EU. The new legislation will place additional responsibilities on Member States and, Lord McNally has argued, at an increased cost to the country. It is believed that this cost will result from additional administrative and compliance measures required by the Regulation. The following are some of the new requirements in the Regulation which the UK Government believes will lead to an increased cost:
- The requirement to notify the UK Information Commissioner’s Office (“ICO”) of personal data breaches without undue delay and, where feasible, within 24 hours is set out in Article 31 of the draft Regulation. This is one of the headline changes in the Regulation and for the first time extends mandatory breach reporting to all data controllers (not just public electronic communications providers as is currently the case under the e-Privacy Directive). Mandatory security breach reporting is already common in the USA where, although there is no such federal law, the vast majority of states have such local laws. By contrast to the US, however, the new EU obligation is not limited to only certain breaches (triggered by their perceived seriousness in relation to personal identifier information involved) but to all breaches, regardless of size, details or impact. The new obligation would also directly affect data processors (who currently are not subject to obligations in UK data protection legislation) since they would be bound to “alert and inform” the controller “immediately after the establishment” of such a breach. At present in the UK (for most data controllers) there is no legal requirement to notify data protection breaches, although the ICO expects that “serious” breaches should be reported to it and many companies choose to do so in line with good practice. The Government has estimated the future cost of notifying breaches at between £31 and £131 million per annum for the private sector alone, so the true cost could be substantially higher given the history of data breaches in the public sector. Of the data protection fines issued by the ICO between February 2011 to date, those involving the public sector outnumbered those in the private sector by more than 6:1;
- Under the new Regulation, data controllers will no longer need to notify the supervisory authority of their general personal data processing activities (although certain data exports will need approval). The ICO estimated the UK income for this at just under £16 million for 2012/13. Whilst this will be a saving for all UK data controllers who currently have to notify, it will be a loss for the ICO (which is currently funded from this income stream) and therefore although the ICO will need replacement public funding, it is cost neutral to the country as a whole (not counting the minor administrative fees saved);
- The “right to be forgotten” as set out in Article 17 of the Regulation would require data controllers to take all reasonable steps to inform third parties which hold and process that person’s data, that such individual has requested erasure. This obligation could carry many (possibly unforeseen) consequences should the data controller have published the details via the internet or lawfully disclosed them to a number of third parties e.g. with the data subject’s consent. Major US multinational companies responded arguing that such an obligation would be impossible to comply with given the speed at which data is replicated online once posted. Regardless of whether or not compliance with the right is realistically achievable, responses argued that it could cost companies hundreds of thousands of pounds in system development to try to comply with this obligation;
- The proposal to make Subject Access Requests (“SARs”) free of charge, as set out in Article 12(4) of the Regulation, as opposed to under current legislation which in the UK allows a £10 charge. The Government believes that removing the £10 fee could lead to an increase in requests of between 25% and 40% per annum. This in turn would lead to additional costs of between £12 and £37 million to data controllers. However, given that the Justice Committee Report argued that the fee should be removed, this seems to be one area where the Government may struggle to change the EU proposals despite their perceived cost implications;
- The new requirement to appoint a “data protection officer”, which applies to all public authorities or public bodies, all enterprises employing 250 persons or more, and any controller that requires regular or systematic monitoring of data subjects. Both the Justice Committee and the Government agreed that they did not approve of the 250 employee cut-off for requiring a data protection officer. It will be small to medium enterprises (“SMEs”) who will bear the brunt of this cost, which the Government estimates at between £30 and £180 million per annum in the UK. It would seem that requiring a data protection officer based on the volume and sensitivity of the data being processed would be a more efficient method of protecting data subjects, but it is not clear if the Commission will agree with this;
- Article 79 proposes increased levels of fines that the supervisory authorities will be able to impose with fines of up to €1m or, for enterprises, up to 2% of annual global turnover. This is a substantial increase on the current position, which allows the ICO to fine companies up to £500,000 for a specific serious breach of data protection legislation. The Regulation proposes 3 tiers of fines, with a starting band of up to €250,000 or 0.5% of turnover, a middle band of up to €500,000 or 1% of turnover and the third band of fines being up to the maximum amounts as set out above, with mandatory fines being possible in some cases;
- Article 33 would have the effect of requiring Privacy Impact Assessments (“PIAs”) to be carried out where “operations in particular present specific risks”. The risks are set out in Article 33(2) and include profiling, using sensitive personal data (e.g. health, sex life or race specific), CCTV monitoring and large scale processing of children’s, genetic or biometric data. The Government predicts that all large scale companies will be caught by these definitions and that an average cost of £27,600 per PIA will lead to a total UK cost of between £67 and £81 million to organisations; and
- There will also be additional burdens on the supervisory authority, in the UK’s case the ICO. These additional burdens will flow from the above points, in particular the increased notifications of security breaches and likely increase in SARs and “right to be forgotten” complaints. The Government estimates that this will cost around £40 million per annum in the UK.
As the above shows, the potential costs associated with the implementation of the proposed Regulation are likely to have a negative financial effect on the country as a whole. However the Commission will hope that the savings going forward that will be achieved as a result of the harmonisation of all European Data Protection Laws (estimated at £40 to £50 million per annum by the UK Government) combined with the increase in business that a harmonised approach will bring, will together offset these costs. What is not widely reported, is that the possible derogations from the harmonised approach required by the Regulation are being widened, so for example, each country could implement its own specific rules on processing “employees’ personal data in the employment context”. This, combined with current ongoing legal differences between EU countries in relation to telecoms laws and works council obligations, will still mean privacy issues across the EU will not be completely harmonised post Regulation.
Businesses are recommended to keep an eye on the changes coming into force, as once approved there will be a two year window for steps to be taken to be ready for the changes being introduced by the Regulation.
For further details, please contact:
Liz Fitzsimons
Legal Director
Tel: +44 (0) 845 497 3808
lizfitzsimons AT- eversheds.com
Dave Hughes
Senior Associate
Tel: +44 (0) 845 497 3642
davehughes AT-eversheds.com
Leave a Reply