Will the boat come in for privacy law reform in 2012?

| February 9, 2012

Throughout 2011 we saw some promise for better, updated privacy laws in many parts of the world, with changes afoot in the EU, the USA and Australia. While in the end things were still ‘promising’, 2012 looks set for some real progress, according to Malcolm Crompton.  

To quickly reprise, early 2011 I wrote in my blog Towards a Global Privacy Framework: Arriving at Base Camp about the forthcoming G8 summit, which had privacy on its agenda. In May, I updated this observation by blogging that the world’s leaders were Getting closer to Base Camp: the Sherpa’s are unpacking the tents. The final Summit communiqué did ‘encourage the development of common approaches’. Well, it was a start. 

But the momentum seemed to be building. Elsewhere at the global level, in November 2011, APEC Ministers announced , APEC Leaders endorsed the complete APEC Data Privacy Pathfinder Cross Border Privacy Rules System (CBPR). This is the first cooperative arrangement to protect personal information when it moves between jurisdictions (outside the rather unique circumstances of the European Union). It is the culmination of nearly a decade of concerted effort since APEC first considered developing its own Privacy Framework.

Meanwhile, in the US, most recently in August 2011, a White House Office of Science and Technology Policy spokesperson indicated that the US Federal government would play a role in protecting internet consumers, with a business-friendly regulatory structure.

And in Australia, there was progress of sorts as well. 

Rather optimistically, in July I blogged to the effect that Privacy law reform in Australia gets going again. By year’s end, the Senate Finance and Public Administration Committee had received and reported on one more piece, the credit reporting provisions.

And the then Minister for Privacy and Freedom of Information in his speech to the Annual Conference of iappANZ announced that "Subject to the usual caveats about legislative drafting resources, the Government is aiming to have this legislation introduced into the Parliament in the autumn sittings of 2012".

The year in Australia for privacy was rounded out when the Prime Minister announced Changes to the Ministry that moved the privacy policy function back to the Attorney-General’s portfolio and abolished the separate role of Minister for Privacy.

So, that was the year that was. How about 2012? If January is anything to go by, privacy looks set to gain momentum.

In January 2012, the European Commission proposed a comprehensive reform of the EU’s 1995 data protection rules to strengthen online privacy rights and boost Europe’s digital economy. If adopted, a new Regulation will replace Data Protection Directive 95/46/EC except for law enforcement and other “competent authorities” who would be covered by a separate Directive. 

This is a very significant potential change if it is passed into law.  The most important changes of all are: 
  • the main data protection framework is a Regulation and not a Directive. The Regulation will be enforceable in member states after two years. A Directive would have required each of the member states to make law, and would have left in place the scope for interpretation and inconsistency between the member states. Interestingly, the law enforcement aspect of the new regime will be regulated by a Directive rather than a Regulation.
  • penalties will range from a warning letter up to €1 million/up to 2% of the offending company’s global turnover. Although lower than the fines of 5% of turnover indicated in leaked earlier drafts, these are nonetheless significant penalties
  • there will be a ‘one-stop shop’ approach to enforcement, with each company subject to the Data Protection Authority in the member state in which it has its main presence
  • the reforms contain an online ‘right to be forgotten’ where online data can be deleted when there is no legitimate reason for it to be kept
Hardly surprisingly, the new draft has started a strident debate over its merits. Out of the many, here is a sample of two contributions. The UK Information Commissioner is concerned among other things that processing of personal data for law enforcement will be regulated by a (weaker) Directive rather than a Regulation. DataGuidance has rather crisply summarised how Industry reacts to the EU draft Regulation, seeing it as rather a mixed bag.

Overall, though, the EU announcement is a promising start to 2012. From the USA this year we can expect announcements in the next couple of months on how it sees privacy regulation shaping up for the future. 

And Australia?  The Attorney-General, Nicola Roxon is the new Minister responsible. As Minister for Health, she gave privacy strong support in principle as she shaped the Personally Controlled eHealth Record. Here’s hoping that we see the introduction of new privacy legislation in the coming months and an end to the lengthening hiatus on privacy law reform here.

Watch this space.


Malcolm Crompton is Managing Director of Information Integrity Solutions (IIS), a globally connected company that works with public sector and private sector organisations to help them build customer trust through respect for the customer and their personal information. He was also foundation President of the International Association of Privacy Professionals, Australia New Zealand, www.iappANZ.org.