February 24, 2012: The European Union data protection directives have been made to ensure complete reforms in order to ensure improved individual rights and to make the data protection laws robust across the member states of European Union.
The newly introduced reforms will have a tremendous impact on the businesses operating in the area and on the organizations engaged in business activities with companies in the European Union or European Union citizens.
The main objective of the reforms is to bring about uniform data protection laws across the Union. In the reformed laws, the core principles are not changed, but many fresh principles have been introduced. The reforms have also included companies that operate in the region and that do not belong to any of the member countries of the European Union. It has provisions for the protection of the rights of the children in the region.
Any organization or business that operates outside the European Union that process information of citizens of the Union for the purpose of providing goods or services to them will come under the purview of the reformed laws. The external organizations that monitor the behavior of citizens of the Union for the purpose of doing business too will come under the purview of the law. The reformed regulation defines ‘processing’ in very broad sense. It is defined as any action or set of actions that is conducted on the personal data or a collection of data, which is automated or not. The actions will include collecting of personal data, editing, organizing, storing and retrieving, using, transferring and alteration or deletion.
In outsourcing of business functions to third party service providers in other countries, large amount of data will be transferred to the service provider. The data can be of the customers or employees of the clients.
The proposed regulations contain provisions for fines, in case of non compliance of the company. It can go up to one million Euro or 2 per cent of the turnover. It also needs the companies to take the consent of the individuals before their data is processed. The proposed regulations say that consent cannot be assumed.
Complying with these regulations will bring about huge financial and administrative burden on the companies in the Union and also on those who outsource their business functions to offshore locations. This will make it difficult for organizations involved in outsourcing business functions which involve personal data of customer or employees.
Companies that are planning to enter into new outsourcing agreements should be aware of the reforms and that their obligations with respect to data protection will change during the course of the agreement. Data protection provisions should be included in the contract with provisions for amendments.
It is not possible to predict all the impacts that the reforms will bring about. The Service providers and the clients will have to wait for a couple of years before the regulations are completely implemented to determine the outcome of such a regulation.