EU institutions are still negotiating the final version of the long-awaited Data Protection Regulation, but a new provision in the text is a source of concern for businesses. The new version of Article 43a would leave companies to deal with conflicting legislations on transfer of personal data; more broadly, it highlights the need for greater cooperation between regulators across countries.
Stricter rules on data transfer will leave companies to decide which rules to breach
Despite reaching an advanced stage of the formal process leading to approval, the new European Data Protection Regulation still faces significant obstacles and remains some way from being passed. Industry associations are now concerned about a proposed amendment to the rules covering the transfer of personal data outside the EU. This concern was highlighted by a statement released at the end of August 2015 by the European Data Coalition, which groups together approximately 20 companies, including Apple and AT&T.
If passed in its current form, Article 43a would forbid companies to comply with a request for personal data from the public authority of a third country, because no decision of a court or administrative authority could be enforceable. Although this is an effort in good faith to protect EU citizens’ privacy and to prevent the bulk collection of personal data from third countries, its practical consequence is likely to be much less desirable. Companies will have to deal with conflicting legislations; in practice, they will often have to make a decision as to whether to breach EU rules or the rules of a third country (very often this will be US legislation given that many tech and internet companies are based there). It is expected that companies will generally opt to flout the legislation with less harsh penalties. This means that if the EU rules are to be enforced effectively they will have to come with a heavy set of sanctions.
Regardless of EU institutions’ ability to come up with effective rules on this aspect of data regulation, the issue highlights one of the unresolved issues of data protection in the digital age – the need for regulators in different countries to work together and come to a comprehensive agreement on data protection rules. As end users become increasingly sensitive to privacy issues online, and regulators adjust their frameworks to capture ongoing technological developments, companies will be expected to comply with inconsistent sets of rules.
If the issue is not tackled adequately, it could lead to an undesired balkanization of the Internet. Lack of mutual trust between countries may lead regulators to put more obstacles in the way of the transfer of personal data abroad. In such a scenario, small companies, which have often been a primary source of innovation in recent years, may suffer the most because they will struggle to meet the cost of complying with complex and inconsistent regulation.
Data Protection Tracker: 1Q15, TE0007-000867 (January 2015)
Current Status and Future Developments in Data Protection, TE0007-000812 (August 2014)
Luca Schiavoni, Senior Analyst, Regulation