The first thing to note, says Amberhawk, is that this is a ‘Regulation’ and not a ‘Directive’. While Directives have to be implemented by member states, and can be implemented in different ways, Regulations have to be applied. There is no wriggle room for different interpretations. In this way, a court decision in one EU country is likely to be relevant to all other member countries.
This said, Amberhawk concentrates on two new developments. The first, and possibly a surprising development, is that the new Regulation removes the concept of a right to privacy from the concept of data protection. The existing Directive states in Article 1, “In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.” Recital 10 amplifies what is meant by the ‘right to privacy’ while Recital 11 adds that it is intended to “give substance to and amplify those (provisions) contained in the Council of Europe Convention of 28 January 1981 for the Protection of Individuals...”
“Compare this position with the Regulation,” says Amberhawk, “which does not use the word “privacy” (except in the context of “privacy by design” or “data loss”). In the Regulation, there is no mention of the “right to privacy”, no mention of Article 8 of the Human Rights Convention...”
Amberhawk’s concern is that a ‘right to data protection’ is not comparable to a ‘right to privacy’. ‘Data protection’ has no history in law, while ‘privacy’ has more than a century of legal deliberation behind it. “In short,” says Amberhawk, “the ‘right to data protection’ upon which this Regulation is to be based is currently a confused, ill-defined concept.”
In a second post, Amberhawk discusses the proposed new ‘fine’ regime. While much of existing discussion centers around the ‘2% of annual turnover’ headline, this can be misleading. In effect, the 2% fine can only be levied on companies with a turnover in excess of €50 million. Since the current maximum UK fine (from the Information Commissioner) is £500,000, a UK company would need to have a turnover in excess of £25 million for this level to be increased. “The maximum fine could actually decrease for most SMEs.”
The UK’s ICO will undoubtedly be pleased with this development. Much of the criticism currently aimed against the ICO concerns the amount he fines companies that transgress the UK’s Data Protection Act. Under the new Regulation, he will have little lee-way in the amount he imposes.