As the European Commission reviews its legal framework on data protection, European Directive 95/46/EC, it considers implementing a mandatory requirement that all data processing organizations employ a data protection officer. A two-month public consultation period—which concluded earlier this year—generated submissions from 288 organizations and individuals. While stakeholders have been vocal, the commission itself has remained tight-lipped about the potential mandate’s likelihood, leaving stakeholders and others to speculate about the potential implications.
Patrick van Eecke of DLA Piper in Brussels tells The Privacy Advisor that no recent progress has been made on the proposal. Because the commission is generally much more transparent on its processes, Van Eecke speculates that it is not yet sure of the direction it will take.
Rome attorney Rocco Panetta says the commission’s silence on the topic can be attributed to “the enormous lobbying activities carried out by those considering data protection and security as a burden for competition instead of an opportunity to better protect corporate information and strategies,” and better protect personal data flows. Data protection techniques should be used to “explore the infinite opportunities that a fair and lawful data circulation may offer to the market, especially in period where the economy is so variable and so often depressed,” he said. Panetta believes that stakeholders should, in fact, welcome data protection officers at every organization.
Omer Tene, associate professor at the Israeli College of Management School of Law, believes it’s likely that the commission will make data protection officers mandatory, but in certain circumstances. The challenge, he says, will be shifting organizations’ mentalities as to the importance of employing DPOs.
“The role of the DPO in Europe remains a low- to mid-level management position focusing on compliance with regulatory formalities. This stands in contrast to the American chief privacy officer, a high level, sometimes C-suite strategic role, which developed not because of a statutory requirement but rather due to a realization on the part of businesses that information management is a central business concern. The challenge for the commission is to help the European DPO evolve in the direction of the American CPO.”
Former UK Information Commissioner Richard Thomas says the idea of the potential DPO mandate is to alleviate administrative burdens, but he’s skeptical that it would. A provision under Article 18 in the directive already relaxes database registration and notification requirements for entities employing a DPO. Only Germany and parts of France currently use the model, however.
The commission seeks to harmonize this system across the European Union. But, Thomas says, “It’s a little difficult to see how you can harmonize when really only two countries do this, and for most of the other 25 countries, I don’t think it’s a big feature for their national law.” He adds that he thinks it’s unlikely that mandatory data protection officers would be rolled out across Europe. “It would be an imposition that most businesses wouldn’t welcome,” he says. “My prediction would be that the European Commission will make it more attractive to have a DPO without making it mandatory.”
The Impact on SMEs
Among those beseeching the commission not to make DPOs mandatory, there have been appeals to consider the impact on small- to medium-sized businesses.
There has been significant resistance to the idea among businesses, Thomas says, based on sentiments that the requirement would place an excessive burden on organizations—especially those that are small- to medium-sized.
The Interactive Advertising Bureau (IAB) says in its submission that many of its members are small- to medium-sized enterprises (SMEs) and that it “would be disproportionate to force SMEs to have a mandatory obligation to engage a data protection officer or conduct formal privacy impact assessments.” Instead, the IAB suggests, the mandate should be imposed only on larger corporations that are “better placed to support such positions within their organizations and for which the impact of increased operational expenses would be limited.”
Van Eecke says it will be important for the commission to consider SMEs and whether alleviated notification requirements would be worth an onboarding requirement.
“What would be the most burdensome obligation for small and medium enterprises…” Van Eecke asks, “to fill out these forms, which would take a few hours, or to engage a data protection officer? I think the second solution would certainly be more expensive and would maybe create more administrative burden than filling out forms.”
However, if the real intention is actually “to engage more accountability for SMEs at any company, then, yes, I think it’s good. If you would like to make companies more responsible and more accountable for processing personal data, then it’s good to have somebody involved in the company, whether big or small.”
Accountability
Tene understands that needs for a DPO may vary based on a company’s specifics, but, he says, “Any business processing personal data should be held accountable for its actions, and accountability begins with assigning responsibility to an individual in the organization. Perhaps in SMEs this need not be a full-time role, but it is crucial that these organizations, too, integrate privacy and data protection into their governance structure.”
Harmonization Considerations
In its comments, Yahoo, which employs a chief trust officer, says it does not think its model “or any other data protection officer-type model, is the kind of solution that should be mandated for all data controllers because of the immense variety of business models and contexts in which they operate…Moreover, we believe that country-specific appointments could lead to divergence in practices across Europe rather than favor harmonization.”
If the commission does decide to mandate DPOs across EU organizations, the next question is whether the mandate will come in the form of a directive or a regulation.
Both Thomas and Tene speculate that a hybrid could result; the commission may impose a regulation for the private sector and a directive for public organizations, such as the criminal justice system.
“I think a regulation, which has direct effect and does not require national transposing legislation, is a good idea given the continuing lack of harmony between European Member States’ laws, even 15 years after the introduction of the directive,” Tene says.
Panetta would prefer to see a regulation, as well, but agrees that differentiations in laws make it more likely that the commission would decide on a directive.
“The risk in such a case would always be the same: same principles improved at an EU level but different national implementations, which would mean different national laws and regulations, different DPAs’ powers and approaches, different sanctions and pressure points, different security policies and perceptions of the gravity and seriousness of the matter and of its relevant breaches.”
For that reason, Panetta says, “we should try hard in the near future to at least get a standardization of basic policies and practices at a corporate level and the recognition of accountability and Privacy by Design principles in the directive, throughout the spreading of code of conduct and BCRs, not only for international data transfers, but so that data controllers and hopefully CPOs may drive the change in view of most challenging targets in the near future.”
Patrick van Eecke of DLA Piper in Brussels tells The Privacy Advisor that no recent progress has been made on the proposal. Because the commission is generally much more transparent on its processes, Van Eecke speculates that it is not yet sure of the direction it will take.
Rome attorney Rocco Panetta says the commission’s silence on the topic can be attributed to “the enormous lobbying activities carried out by those considering data protection and security as a burden for competition instead of an opportunity to better protect corporate information and strategies,” and better protect personal data flows. Data protection techniques should be used to “explore the infinite opportunities that a fair and lawful data circulation may offer to the market, especially in period where the economy is so variable and so often depressed,” he said. Panetta believes that stakeholders should, in fact, welcome data protection officers at every organization.
Omer Tene, associate professor at the Israeli College of Management School of Law, believes it’s likely that the commission will make data protection officers mandatory, but in certain circumstances. The challenge, he says, will be shifting organizations’ mentalities as to the importance of employing DPOs.
“The role of the DPO in Europe remains a low- to mid-level management position focusing on compliance with regulatory formalities. This stands in contrast to the American chief privacy officer, a high level, sometimes C-suite strategic role, which developed not because of a statutory requirement but rather due to a realization on the part of businesses that information management is a central business concern. The challenge for the commission is to help the European DPO evolve in the direction of the American CPO.”
Former UK Information Commissioner Richard Thomas says the idea of the potential DPO mandate is to alleviate administrative burdens, but he’s skeptical that it would. A provision under Article 18 in the directive already relaxes database registration and notification requirements for entities employing a DPO. Only Germany and parts of France currently use the model, however.
The commission seeks to harmonize this system across the European Union. But, Thomas says, “It’s a little difficult to see how you can harmonize when really only two countries do this, and for most of the other 25 countries, I don’t think it’s a big feature for their national law.” He adds that he thinks it’s unlikely that mandatory data protection officers would be rolled out across Europe. “It would be an imposition that most businesses wouldn’t welcome,” he says. “My prediction would be that the European Commission will make it more attractive to have a DPO without making it mandatory.”
The Impact on SMEs
Among those beseeching the commission not to make DPOs mandatory, there have been appeals to consider the impact on small- to medium-sized businesses.
There has been significant resistance to the idea among businesses, Thomas says, based on sentiments that the requirement would place an excessive burden on organizations—especially those that are small- to medium-sized.
The Interactive Advertising Bureau (IAB) says in its submission that many of its members are small- to medium-sized enterprises (SMEs) and that it “would be disproportionate to force SMEs to have a mandatory obligation to engage a data protection officer or conduct formal privacy impact assessments.” Instead, the IAB suggests, the mandate should be imposed only on larger corporations that are “better placed to support such positions within their organizations and for which the impact of increased operational expenses would be limited.”
Van Eecke says it will be important for the commission to consider SMEs and whether alleviated notification requirements would be worth an onboarding requirement.
“What would be the most burdensome obligation for small and medium enterprises…” Van Eecke asks, “to fill out these forms, which would take a few hours, or to engage a data protection officer? I think the second solution would certainly be more expensive and would maybe create more administrative burden than filling out forms.”
However, if the real intention is actually “to engage more accountability for SMEs at any company, then, yes, I think it’s good. If you would like to make companies more responsible and more accountable for processing personal data, then it’s good to have somebody involved in the company, whether big or small.”
Accountability
Tene understands that needs for a DPO may vary based on a company’s specifics, but, he says, “Any business processing personal data should be held accountable for its actions, and accountability begins with assigning responsibility to an individual in the organization. Perhaps in SMEs this need not be a full-time role, but it is crucial that these organizations, too, integrate privacy and data protection into their governance structure.”
Harmonization Considerations
In its comments, Yahoo, which employs a chief trust officer, says it does not think its model “or any other data protection officer-type model, is the kind of solution that should be mandated for all data controllers because of the immense variety of business models and contexts in which they operate…Moreover, we believe that country-specific appointments could lead to divergence in practices across Europe rather than favor harmonization.”
If the commission does decide to mandate DPOs across EU organizations, the next question is whether the mandate will come in the form of a directive or a regulation.
Both Thomas and Tene speculate that a hybrid could result; the commission may impose a regulation for the private sector and a directive for public organizations, such as the criminal justice system.
“I think a regulation, which has direct effect and does not require national transposing legislation, is a good idea given the continuing lack of harmony between European Member States’ laws, even 15 years after the introduction of the directive,” Tene says.
Panetta would prefer to see a regulation, as well, but agrees that differentiations in laws make it more likely that the commission would decide on a directive.
“The risk in such a case would always be the same: same principles improved at an EU level but different national implementations, which would mean different national laws and regulations, different DPAs’ powers and approaches, different sanctions and pressure points, different security policies and perceptions of the gravity and seriousness of the matter and of its relevant breaches.”
For that reason, Panetta says, “we should try hard in the near future to at least get a standardization of basic policies and practices at a corporate level and the recognition of accountability and Privacy by Design principles in the directive, throughout the spreading of code of conduct and BCRs, not only for international data transfers, but so that data controllers and hopefully CPOs may drive the change in view of most challenging targets in the near future.”
