Data Protection lawyer Christopher Kuner is a partner with law firm Hunton & Williams Brussels office, where he focuses on data protection and privacy compliance projects for multinational clients. He has represented clients in numerous negotiations with the European Commission, the Article 29 Working Party, and European data protection authorities, is the author of several legal textbooks on data protection regimes, and teaches data protection law at several European universities. He answered questions put by Euractiv’s Jeremy Fleming.
How ready is business for the changes that will be brought about by the new data protection regime?
This is a huge legislative proposal and will completely change the legal framework from the ground up, which in itself raises challenges for business. But it is so huge, far ranging and technical that it is hard to get your head around it, and people in companies may be put off reading it and then be left in a limbo of being aware that there is something important but not really knowing the details.
Will the private sector welcome these rules?
I have heard many times companies say that they would much rather have to comply with a very onerous set of requirements than comply with 27 different sets of requirements. Not all would agree with that, but harmonisation is something companies have been wanting.
But they need to be careful what they wish for, because the full implications are now sinking in: this is not going to be harmonisation at a low level but at a higher level, and in a number of countries – like the UK and Ireland, where they have traditionally had a hands-off approach – are suddenly faced with the notion of German-style data protection rules coming into force, and this raises all kinds of issues. There is also the question of whether the harmonisation envisaged will stick, or be watered down.
One of the major things to watch for is how far the proposals may be watered down.
Are some companies going to deal better with the new rules?
IT and computers and online companies have caught on to the idea of new rules, but the ‘old economy’ companies have not seen it quite as much. All these traditional companies have employee and customer data in their systems however, and are going to have to take the rules seriously. It is a horizontal regulation that covers everything.
After the consultation period is over, what will you be looking out for in any changes to the final draft of the new rules?
The proposals that would affect the private sector most are in the form of a regulation. This could meet such opposition that the regulation is reconverted into a directive, which would mean national implementation – with all the variations that supposes – or there could be many more exemptions introduced into the regulation. There are already some articles [in the draft regulation] calling on the member states to take their own action, some in-built subsidiarity, and this could be extended in the final version, diluting the effects of the regulation.
How keen do you think the Commission is to make its rules tally with those of its big international trade partners?
There have been concerns raised by the US saying that the proposals are not helpful. The US wants to improve its data protection framework in a way that includes some ideas from Europe, and the argument goes that at the same time that this is happening Europe wants to move itself onto another level of data protection.
But the Commission is not going to prioritise harmonising EU law with Chinese or US rules. It is great to have international harmonization, but it is a lower priority than getting the rules straight in Europe. Justice Commissioner Viviane Reding and her colleagues are keen for the EU to be a leader in privacy regulation and are pursuing their agenda aggressively.
One issue causing controversy is that the EU wants the power to regulate overseas data users where these are targeting European consumers. Is this extra-territorial issue going to cause problems?
There has been a lot of discussion about this and it will be controversial, but the EU is not doing anything that the US has not done. Indeed most countries have come to the conclusion that if their citizens are being targeted or offers are being directed at them from other regions, then they will apply there rules to those regions. This whole approach in fact started in the US and we have seen controversy about extra-territorial jurisdiction. Ultimately, however, the EU and US are not far apart on this issue.
How easy would it be however to apply fines or sanctions against offending companies when these are headquartered overseas?
You look at where assets are located. It is true that if enforcement was sought against a small company in China with no presence in the EU, then there is little that could be done. If a company has any assets or operations in Europe, however, or if it needs its executives to travel here, or has expansion plans here, then these are hooks that can be used by the Commission in enforcement.
That is the US approach which has been used against Swiss banks and all kinds of companies. The truth is that companies need to use the US markets, they need to travel there and the authorities can enforce when there is any physical presence. The EU is a bigger market arguably. So these new fines and these new joint investigations may be more effective than one would think at first.
How much are these rules going to affect public bodies as well as private ones?
This package has huge implications for governments and regulatory authorities and public authorities, and that is being ignored in the public discussion with the emphasis being put on companies. In many ways ordinary public authorities are far behind the private sector in terms of their sophistication in dealing with IT and data processing.
Their budgets are being cut and they do not have the opportunities to go out and raise business and money as the private sector does, so in a way they are going to be squeezed even harder than the companies in their efforts to keep within the rules.
You can already see this issue being controversial in the directive on police [data protection] co-operation. But it’s hard to separate the public and private sectors completely since where the private sector has databases, governments frequently want access to these.