It took four years for the EU’s twenty-eight member states to pass the new law on data protection. Now companies are bracing themselves for high stakes and citizens hoping for more control.
If you don’t have the data, you don’t have the oil.” The voice-over resounded, in a North Carolina accent, through the speakers of the Filmcasino. It was the Austrian premiere of Democracy, a documentary about the conception, gestation and birth of the new EU General Data Protection Regulation (GDPR). The voice was that of John Boswell; a supporting player in this drama, he represented the SAS (Statistical Analysis System) Institute defending the positive aspects of Big Data at the debates in Brussels. Meanwhile protests against surveillance and signs reading “Thank you Snowden” were taking place just outside. The challenge was to find a middle ground – a “compromise.”
The hero of this story was Jan Philipp Albrecht, a Green Party MEP. Since 2012, he has been the rapporteur for the EU’s planned data protection act. At only thirty-three, he just led the European Commission through four years of negotiations, shadow meetings, “Privacy Breakfasts” and lobbyist luncheons. He guided member states through the 4,000 amendments proposed for the bill – a record in the EU’s history.
The proposal states that the goal of the Regulation is to “enhance the data protection rights of individuals and to improve business opportunities by facilitating the free flow of personal data in the digital single market.” However, experts are divided on how much the final bill will in fact protect privacy and ensure higher standards of data security.
What’s at stake
After the film premiere, the director David Bernet joined a panel of experts, including Austria’s enfant terrible of data privacy, law student Max Schrems, a.k.a. the guy who sued Facebook.
“Data protection is still too much of a political topic,” Schrems said. “In the 28 member states, each culture sees it too differently to make one regulation for the whole EU.” Despite being a EU-wide “regulation,” rather than a “directive” transposed on a national level, the legislation allows for individual decisions by member states. Each country has multiple instances to add national stipulations to key articles. Schrems is not the only expert who feels that “this system might just not be able to cope with such a complex topic.”
All over the world, citizens, activists and the media have questioned the odd coincidences that data sharing has created in our digital lives. Our browser activity is shared with advertisers and as technology accompanies us through more and more of our waking hours, our location services, cameras and microphones deliver even more information to companies and governments.
For communications and IT firms, the technical side of the regulation is much more complex than it would seem to an outsider.
Anna Handler* works in the legal department at a large Austrian IT company and spoke to Metropole about the measures her organization is taking to comply. She knows the regulation well; for over a year her company has been planning and analyzing every leaked draft of the regulation to make sure it’s is able to comply fully by 2018, when the law is put into effect.
“The technical changes are never as simple as a technical layman imagines.” She has walked into meetings to explain that certain data needed to be deleted (or made delete-able), and the IT team just stared at her. “When they program things a certain way, you can’t simply patch a new function into the system.” She apologized for not knowing the right terminology.
“For me, the word ‘delete’ has a completely different meaning than it does to a programmer,” Handler explained. “There are various levels of deletion, some of which are retrievable.” The difficulties within companies are more a question of translating the new regulation into IT-friendly terminology, but plenty of money is being invested into building the necessary bridges to comply with the regulation and ensure the safety of valuable data the company holds.
Data protection cannot mean turning off the big data tap. Having coherent data sets that are as complete as possible is a must in the 21st century. The main change is the cost of non-compliance. In 2000, companies were already expected to comply with the 1995 EU Data Protection Directive, but until now, the stakes hadn’t been this high.
“The penalties reached up to €25,000,” Data Protection lawyer Rainer Knyrim told Metropole. “Now companies are faced with gigantic penalties of up to €20 million or 4% of an organization’s global revenue – all of a sudden everyone’s paying attention.”
Austria and “unambiguous consent”
In the early 2000s, Rainer Knyrim was the only Lawyer on the Austrian Bar Association database who specialized in data protection law. “I had to ask them to program the category into the site, so I could register.” His first clients were US companies looking to branch out in Europe, seeking consultation in data protection and labor law.
“The Austrian companies were not as interested.” For years he had no real competition, but local demand has picked up since 2014. Many of the companies that are now approaching him have never dealt with data protection before and often “have a lot of catching up to do.”
Knyrim also says there is a big difference in the way various EU countries treat data protection. For instance in the U.K., the authorities are very keen on the technical security of data and vigorously enforce the encryption of business laptops. If one is lost, the company can be fined up to £60,000 to £80,000 pounds (€80,000 to €106,000 ) per laptop. They even publish statistics about which companies lost the most laptops in the previous year. In Austria on the other hand, data protection authorities focus more on registration and approval of the use of data.
The future of data
It’s hard to estimate how much money Austrian companies have budgeted to comply with the Data Protection Regulation. However, the American data privacy management services firm TRUSTe recently did a study with 200 companies, half from the US and the other half from the UK, Germany and France. In October 2015, 83% stated they had already allocated a budget to address the changes; 31% allocating $100,000 to $500,000 (€93,000 to €460,000) and a further 21% allocating $0.5 million (€460,000 or more) or more. Rainer Knyrim is organizing a similar survey through Austria’s biggest conference organizer, Business Circle, to find out how many Austrian organizations know what is changing and how much money they have allotted to comply with the changes.
With the advent of the new regulation, a new job title was born – that of the Data Protection Officer (DPO). Every company that sells goods and services, regularly monitors Europeans, or processes data on them at certain levels is required to have a DPO. In Germany, this job already exists on a larger scale. It’s essentially a Compliance Officer for data protection and requires both legal and IT expertise. Both Knyrim and Handler recommend that burgeoning law students specialize in data protection, as the demand for it will only grow.
In the film Democracy, our hero Jan Philipp Albrecht compares policy making in Brussels to steering a tanker, not with a steering wheel, but by shifting weight; convincing enough people to get on one side of the boat so that it turns. It may have taken longer than Europe hoped, but most agree that it is the most significant change in global data privacy regulation in the last 20 years.
*name has been changed