Gah! EU data protection will STIFLE business, moans gov.UK
Yargh, I'm wrapped up in actual red tape here
Informed consent rules will hit credit-sniffers
However, one credit reference agency said financial services firms could be particularly affected by increased costs in defending against claims by individuals that they had not given their consent to processing.
"With the burden of proof now with the data controller it may be that every challenge by a consumer (or organisation acting on the consumer's behalf) will require, in the case of a credit reference agency search being challenged, a copy produced of the original consent obtained by our client at the time they carried out the search of our database," the credit reference agency said. "This may prove very costly, highly bureaucratic and time consuming for both us and our clients should organisations such as claim management companies target such activity."
The MoJ outlined its intention to seek an "overhaul" of the current drafting of new rules on individuals' so-called 'right to be forgotten'. It said it would seek changes "given the practicalities and costs and the potential for confusion about its scope for both organisations and individuals." However, it added that individuals should have the right for the personal data to be deleted "where this is appropriate". Some businesses have estimated that the cost of "changing their business processes" to comply with the right to be forgotten could be as much as £100,000.
Provisions contained in the draft Regulation enable individuals to force organisations to delete personal data stored about them "without delay". Organisations that have made the data public will be liable for the data published by third parties and will be required to "take all reasonable steps, including technical measures" to inform them to delete the information. However, organisations can oppose the deletion if they can show they have a right to publish the data under the principle of freedom of expression or if it is in the public interest for the data to remain in existence.
Other respondents questioned whether requiring businesses to build-in privacy by default into new service designs would bring more benefits than costs.
Data portability to affect trade secrets, property rights
Concern was also raised that planned new 'data portability' rules do not allow for organisations to protect their trade secrets and intellectual property rights. The Commission's plans provide consumers with a general right to switch electronically processed personal data from firm to its rival through a "commonly used" electronic format. Businesses said that the costs involved in changing systems to comply with data portability requirements could be as much as £5m and that those costs would likely have to be absorbed by consumers.
Plans for the detail for the operation of the proposed new data protection regime to be fleshed out in 'delegated acts' drawn up by the Commission were also criticised. Businesses had said that if the Commission dictated the "technological format and specifications" to be used, such as in relation to compliance with the data portability rules, it could leave companies "at a financial loss" where those firms had already developed and invested in alternative industry standards.
The MoJ said that a review of the "monetised costs" of compliance of current UK data protection laws had estimated that data controllers spend around £53m meeting the requirements of the laws and that an extra £1m is borne by the justice system enforcing the framework. The review had concluded, though, that the "true cost of compliance" was likely to be higher.
"The [review] also found non-monetised costs which included extra staff hired to ensure compliance with the [Data Protection Act (DPA)], costs for those who have received penalties, as well as impacts where the incorrect application of the DPA has stopped organisations sharing information," the MoJ said.
Copyright © 2012, Out-Law.com
Out-Law.com is part of international law firm Pinsent Masons.
Sponsored: Network DDoS protection