The countdown has started for the implementation of yet anothereaching consequences as companies scrabble to fulfil its requirements. European Union directive which will overhaul the UK's data protection act. The directive will become law on October 25 and has started member states scrabbling to get their houses in order.
Opinion is divided over the regulations merits while the issue of privacy vs progress is also raising its head. Some commentators have called the revised act unworkable and argue it will upset those who do business on the internet, among others.
Christopher Millard, partner at City law firm Clifford Chance, is concerned that at least one part of the legislation is unfeasible. This is the part of the directive that says you can't email 'protected data' - data covered by the Data Protection Act - to countries that are not signatories to the directive. Countries that are not members of the EU must have signed up to the new rules to be able to process protected information.
Unfortunately, there is already a gaping hole within this arrangement.
Guess which key player isn't signed up? The US. That alone is going to make the change in the law very interesting.
Millard believes the system has a fatal flaw. 'You are not allowed to transfer information from here to another country unless you have the consent of the individual concerned or you have some other justification for doing it. That is fundamentally incompatible with how the internet works,' he says. 'People aren't going to stop sending emails just because they are going to a country that has no law in this area.' Millard adds the majority of countries don't have such laws. 'We found only 36 countries that had any law on these matters at all - and big countries like the US don't have any.'
This means that any business, for example a bank or group of companies, with an office in the UK and, say, the US, wouldn't be allowed to transfer information about its employees or customers or anyone else to the US, unless you fall within one of the limited number of exceptions, says Millard.
'You have to show consent from everybody named in the communication or show you have a contractual requirement to do it - for example, asking your bank to transfer funds from your account here to a particular account in the US.'
And Europe has already had a run-in with the US over this, according to Millard. 'It happened in Germany with Citibank, which in 1995 tried to market a co-branded Visa card with the German railway company. Various consumers complained to the Berlin Data Protection Commission because they objected to their accounts being processed in the US. The regulator agreed they had a valid argument and promptly put a stop to the deal.
'There were then months of negotiations, at the end of which Citibank US agreed to submit to the German data protection laws,' says Millard, adding: 'So these laws apply to certain offices of Citibank in the US and the German regulator has power to go in and do dawn raids and enforce German law in the US. So this isn't theoretical, it can work.'
Millard puts the development of the new act down to a historical 'political sensitivity'. He argues it follows issues raised during the Second World War with the categorisation of people through the collection and use of information on individuals in Germany, France, the Netherlands and various places under the Third Reich. 'It is viewed in Continental Europe as a human rights issue,' says Millard.
However, the data protection registrar itself has come out in favour of the new regulations. Phil Jones, assistant registrar at the office of the data protection registrar, comments: 'One of the things that strikes me about data protection legislation is people claim it makes them do all sorts of tedious things they didn't want to do. My view is that it's a bit like saying if there weren't health and safety legislation, nobody would care and there would be bare boards, holes in the floorboards and exposed wires.'
He is very firm about what the new rules concern: 'What this seeks to do is enforce a culture of treating personal information with respect.'
Rachel Burnett, a partner at computer specialist solicitors Masons International, also believes the legislation is important: 'People have a right to know that their personal data is going to be used correctly - information about individuals shouldn't be a free for all.'
She says: 'If it is possible to get an agreement that the data will only be used for the purpose it is being transferred for, then it can be done - and it doesn't seem to me to be that unreasonable. It is really making sure that other countries - which may have different approaches to personal data - treat our data the way we want it treated.'
Jones believes the new legislation could act as a motivating force, rather than a barrier to increased internet activity. He thinks it is in the interests of companies to operate within the new rules, despite the obvious drain on time and resources it will engender. 'I think a lot of players in the computer industry realise that a lot depends on confidence,' he argues. 'If you have a few horror stories of people merely visiting a Website and finding all sorts of unfortunate consequences, that is probably anti-pathetic to internet commerce.'
Jones says that in his opinion, the fundamental issue is one of consumer trust. 'It seems to me that the longer term legitimate players have an interest in fostering that trust, and the real problems are the fly-by-night organisations, but I would have thought it was broadly in their interests to play fair.'
But he doesn't expect a rush of companies: 'I would be amazed if there were many organisations that need to register that haven't done so already,' he says. He is also confident that a new clause in the act, which includes paper-based records, will not raise too many problems. 'I'm not certain the paper records thing will catch that many people,' he says. 'I doubt many organisations exist which have their records solely on paper.'
So the jury is out. And the issue of policing internet traffic is sure to crop up more virulently once the legislation is in place. It is difficult to see how the authorities can even begin to police it and some argue it is possible that their failure to do so adequately will undermine the law sufficiently to affect how seriously companies take it.
Ins and outs of the new law
Although the deadline is approaching, there are still a number of issues in the new legislation to be thrashed out. At the moment, the data protection bill is going through, and although the directive is in place, it is still being discussed at our own parliamentary level. So it seems the people charged with defining what the changes will be haven't agreed on the final draft yet.
However, solicitors group Masons International has produced a synopsis of what the directive should mean to the UK after October. What is clear is that the revised directive will be expanded to cover not only electronic - computerised - data but paper filing systems as well. More clearly defined, that is 'a set of information which although not computerised is structured so as to make the information readily accessible'. This is going to make life very interesting for an enormous number of people, from journalists to newsagents.
The clause applies to paper files that are specifically structured - not, say, random notes in a notebook. Also expanded is the right of individuals to access the data. 'The scope of the required disclosure will be extended to include the logic of any decision making process where computerised processing has been used as the sole basis for an adverse decision affecting the individual, except where the logic is a trade secret.' So now you can force them to tell you exactly why they think you are a financial risk. As a result of the increase in information which an individual will be able to demand, the people supplying the information will be able to charge more for supplying it. However, access is still limited and there is still an obligation to supply it within strict time limits.
The individual has more control over how their data is used too: 'The bill envisages an entitlement on the part of individuals themselves to require data processing to stop, or not to start, where for specific reasons it is unwarranted as causing or being likely to cause substantial damage or distress. Moreover, individuals are to have an absolute right not subject to giving any reasons to object to us of data relating to them for direct marketing purposes.' All of these clauses are new and, if required, an individual can go to the courts in order to see them enforced, as well as demanding compensation 'for any contravention of the legislation'.
One of the real stingers is the requirement to tell an individual who is doing the data processing. As Masons put it: 'The bill requires, but with some qualification, certain information to have been provided to individuals before any processing of their data can take place. This includes the identity of the person processing the data and the purposes of the processing. The duty is to give this information to data subjects regardless of whether the data was obtained directly from them or another source.' And this could hit hard in the case of any organisation which buys lists of names for commercial purposes.'
This is a particularly relevant duty - and maybe an expensive one - for organisations that rely on buying in personal data from third party sources. In the UK, electoral rolls have been a commonly used source of data for commercial organisations - so far without the obligation to provide this information to registered electors.
There is also the issue of sending personal data to the rest of the world.
'While the directive is intended to promote the free flow of information around the Member States of the EU, it prohibits transfers of data to third countries which do not provide adequate levels of protection. It may be possible to transfer data to such countries by means of contractual arrangements where the recipient agrees, by contract, to abide by data protection rules.'
And it also covers the information you grab from say a Web page; if someone gets your details from their Web page they can approach you but they can't sell that data on to someone else. The assumption is that someone who visits the site is aware that their email address might be made available to the operator of the Website, but they have to be informed if the details are passed on to someone else for different purposes.
Perhaps most significantly, the registrars (or Data Protection Commissioners as they are to be called) has been given a lot of power to make sure things happen the way they should.
The commissioner will have a sweeping new power to require information to be supplied by an organisation they have reasonable grounds for suspecting has contravened the data protection principles. Refusal to comply is a criminal offence.
The start date for all this is October, meaning anyone that holds any personal data on individuals from personnel files to marketing data, will need to comply with the Act from that point.
Automation firms UiPath and Automation Anywhere close out their funding rounds with $265m and $300m respectively
View photos of last night's awards ceremony in London
View photos of all the winners from the 2018 Channel Awards
After a glittering awards evening in Battersea celebrating 25 years of the Awards, we are pleased to share the list of winners and judges' commended winners