SBA

Whose Data Is It Anyway?

Membership of the EU is a controversial topic, some in the UK believe they are better off in, and some out. The latter largely base their justification for a “Brexit” on the excessive intrusion of EU legislation into what they believe should be sovereign matters - and in general I agree with them, but there is one piece of Eurocracy that I think we should be thankful for - the Data Protection Directive (DPD).

The DPD is the part of EU Human Rights law which requires EU countries to have Data Protection laws, and by association requires that we in the Isle of Man must have Data Protection law of equivalent standard if our companies are to be permitted to receive personal data from companies in the EU. The DPD was preceded by OECD proposals issued in 1980 and a Council of Europe treaty in 1981 which led to the UK and other countries issuing their first real data protection laws. The CoE treaty was eventually effectively superseded by the DPD which introduced refinements to our understanding of data protection law, and in prohibiting personal transfer outside the EU except when the recipient jurisdiction imposed similar personal data protections resulted in the IoM Data Protection Act 2002.

I remember the proposition of Data Protection law at the beginning of the 80’s and like many people thought the Eurocrats were making a mountain out of a molehill, thirty-five years on I think I would have to say they were remarkably prescient.

Data is funny stuff. If I possess a gold ingot then I possess it, you don’t, it’s mine, all mine. The same goes for most material things, but data is not material. I can have a piece of data, and concurrently you can have it, and the Government, and Uncle Tom Cobley et. al.  We don’t have shares in it, we each possess it, so who owns it? The whole language of ownership gets a bit fuzzy when we start talking about personal data; normally possession would imply ownership but in the context of data it is more appropriate to think of custody and control. EU DPD legislation does not specify the question of personal data ownership, but it does give us some pretty robust pointers:

1. with a few exceptions for the purposes of the State you do not have to provide your personal data to anyone

2. if you do provide your data it may only be used for the pre-defined purposes to which you have agreed

3. if another party has your personal data whether or not you have given it to them you have certain rights including:

1. the right to see the data they hold about you,

2. the right to require that they correct the data they hold about you if it is inaccurate,

3. and the right to require its deletion if it is erroneous, inadequate or irrelevant.

In short you have rights to withhold your personal data and rights over the instances of your personal data held by other people or organisations - your personal data is yours as though you own it, other parties who hold your data do so as custodians as if under license from you for the purposes of their relationships with you and can be penalised if they misuse your data or deny you your rights over your data.

These concepts are instantiated in law throughout the EU and in countries such as the Isle of Man which wish to receive data about EU residents. In the language of the law the individual is the “Data Subject”, the legal person who holds data about individuals is a “Data Controller” (effectively the licensee), and any organisation which actually processes the data is a “Data Processor”. Commonly the Data Controller and the Data Processor are the same organisation, but in some cases the Data Controller will have outsourced the data processing to another organisation hence the separation of roles.

For those of us, mainly organisations, who are Data Controllers, understanding this matter of ownership is crucial. If we do not protect the rights of the Data Subject then sooner or later we’re going to get into hot water; data protection law specifies how we may lawfully process personal data, including upholding the Data Subject’s rights, using the data fairly for the pre-defined purposes, and being good custodians who keep the data secure. Although the penalties available to the Isle of Man Data Protection Supervisor are rather modest and suggest our Government has a very low level of regard for data protection, six-figure fines have become commonplace for data abuse in other countries demonstrating how seriously the EU countries take the matter.

All this is about to undergo a step change. Today (last week as you read this) the European Council has agreed to implement a replacement for the Data Protection Directive. The new EU General Data Protection Regulation will come into force in 2017, after a bit more haggling over the details. It embodies the concepts described above but far more robustly and in far more detail than the Directive, and has been particularly enhanced to encompass the data problems associated with globalisation, outsourcing, cloud computing, e-business and social media, none of which really existed when the original EU data protection concepts were conceived.

The new law introduces a new pan-European regulator to oversee national regulators and national laws and to ensure consistency of application and penalties, it introduces new penalties for data protection breaches, and it introduces new breadth in that it applies to any organisation in the EU and to any organisation anywhere in the world that processes data about EU residents.

If non-EU countries such as the USA and the Isle of Man wish to continue to receive personal information about EU residents from their EU counterparts they will have to introduce new, stronger, levels of protection so we in the island are probably going to be seeing a new data protection law sooner rather than later - the alternative would be the collapse of the finance and e-business sectors. The EU will expect that such new local data protection law will be largely equivalent to the new EU law.

Not everyone is happy. The big USA technology companies such as Google, Amazon, Microsoft etc. are already protesting that the new law will significantly damage global e-business and hold back the development of the EU economy. The UK Institute of Directors is voicing similar concerns, and the UK Government, which has been penalised many times for data protection breaches, is far from comfortable. So what are they all afraid of in this extra protection for the data of EU residents?

In a word, the penalties. Whilst the restrictions on the use and processing of personal data are more onerous, it’s the penalties which give the new regulation its teeth. The EU Council is envisaging fines of up to One Million Euros or 2% of turnover, however these large fines are unlikely to pass into law, the current text of the new law before the European Parliament - which is still being amended - will allow the EU Data Protection Regulator to impose much greater fines of up to One Hundred Million Euros or 5% of the offending organisation’s global turnover - whichever is the larger, for breaches of the General Data Protection Regulation by any organisation in the world. If the European Parliament has its way then any organisation that has a footprint in the EU will be caught - for instance if Microsoft break the EU law in the USA then the EU may levy a fine based on Microsoft’s global turnover onto one of Microsoft’s EU subsidiaries such as their European HQ in Dublin. The six-figure fines commonly imposed upon UK Government organisations will, before the end of the decade, start to look like small change.

In summary the temperature of the water for those who breach the new, more complex, data protection regime is going to get an awful lot hotter, and data protection is going to transform from an inconvenience for many organisations and states to become one of the major compliance issues of the 21st century. For some organisations the question of “Whose data is it?” will be the differentiation between survival and failure. The new EU law will affect almost all of the Isle of Man’s finance and e-business sector companies, we in business will have to get used to an environment in which much of our most important data effectively belongs to our customers and if we wish to remain competitive then we’d probably better start gearing up for it now.