No legal certainty for SMEs with Data Protection Reform

The proposed General Data Protection Regulation (GDPR) continues to cause controversy, despite the political agreement reached this week on a compromise text in the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE).

Despite over 4,000 tabled amendments made to date, the GDPR won't provide a single framework for Data Protection in Europe. This will bring more misery and legal uncertainty for small and medium-sized enterprises (SMEs) already struggling under the weight of a broken economy, Brussels red tape, and a political system that, in the current budget period 2007 - 2013 will see Britain handing over total contributions of £105.726 billion Gross or £42.026 billion Net (excluding the UK rebate and EU spending in the UK).

The aim of the Parliament’s data protection reform is to update the current data protection legislation which dates from 1995. Key issues in the proposal concern:

  • explicit consent - the revocable permission a person has to give in order to allow the processing of their personal information;
  • legitimate interest - the data controller’s interest in the processed data;
  • third country transfers - when personal data, processed in an EU country is made available in a country outside the EU, and
  • data breach notifications - the notification to the data protection authorities when a breach has taken place.

The final vote in the plenary is due to take place before the European elections in May 2014.

Dual legal framework

The debate featured in the video below between Jan Philipp Albrecht MEP and Pat Walshe, GSMA provides little comfort to SMEs already smarting over the botched Brussels job concerning the cookies law. Here, law makers embarrassed themselves by revealing that they had absolutely no understanding of how a website worked. This ignorance has resulted in an unenforceable piece of legislation which even local regulators continue to denounce privately.

Privacy and data protection laws always look great on paper and in academic debate, but the real test is how businesses implement them. Despite GDPR, the decade-old EU Electronic Privacy Directive still stands in relation to traffic and location data, meaning that more than one UK regulator will continue to enforce our privacy and data protection regimes for Internet based services. It will be down to the courts again to provide clarity on points of law - great for the lawyers but complete hassle for SMEs who need market confidence to do cross border e-commerce. Data protection sits under the pyramid of laws and regulations that enable us to do business electronically; the contract rests on top.

The UK's online economy is one of the strongest in the world. Yet, EU policies still continue to cause around 60 percent of cross border e-commerce transactions to fail for one reason or another. This begs the question exactly what economic growth opportunities is the UK missing out on and will this disjointed, two tier data protection regime just add to this appalling situation? 

We're all relying on the SME to grow us out of economic mess but we're not giving them the legal certainty they crave to get the job done!

View the video debate