Compliance with new EU regulation could cause headache for online entities. Latham's Gail Crawford reports

The European Commission (EC) has stated that the new European data privacy regime set out in the draft General Data Protection Regulation issued on 25 January 2012 will save businesses operating in Europe €2.3bn (£1.9bn) a year by introducing a uniform set of privacy rules throughout the European Economic Area (EEA). The EC cites additional cost savings of €130m (£109m) resulting from the abolition of the requirement to register data processing operations with national regulators.

Online giants have frequently criticised the current European regime, emphasising the practical problems and economic cost of having to comply with at least 30 different sets of rules if they provide services across Europe. As a regulation takes direct effect in every country, the new regime should in theory result in one uniform set of rules.

googleThere are two problems here: the first is that there is still significant scope for local variance as the regulation gives national legislators the ability to enact divergent local laws in a significant number of areas. This discretion allows countries to change the conditions that must be met to process personal data; restrict the numerous rights conferred on individuals to request access to and/or rectification or deletion of their data; and, importantly for the online world, to implement national laws that are inconsistent with the data privacy regime in order to protect freedom of speech.

The second point is simply that the stated savings will be eroded by the additional cost of complying with the numerous, strict new obligations imposed on businesses.

These include the much talked about 'right to be forgotten', a phrase used a lot by politicians and privacy activists alike. Put simply, it is a right to request deletion of all data that relates to you, where you object or withdraw your consent to the data processing or where that data processing is illegitimate.

However, it potentially goes further than that. Does it mean that an individual can request that a news website delete articles about a crime they have been convicted of? We assume not, as a website can reject a request to delete data in the interest of freedom of speech. However, where does one draw the line between privacy and freedom of speech? What about an article discussing a celebrity's infidelity?

The scope of the obligation to delete personal data also causes problems for online providers who are deemed responsible for data they have authorised a third party to publish. Does that means that a social network that has already deleted data following receipt of a request could still be held liable for results produced by partner sites or search engines, which publish old data from their cache? There are more questions than answers here, but this provision has the potential to have a significant effect on the online world.

There is a new right to data portability, giving individuals the right to request a copy of all their data in a structured and commonly used form, so that the individual can hand that data to other service providers. This means that a Facebook user can require Facebook to provide all their Facebook data to Google+, enabling that user to populate their new Google 'network' in one quick step, reducing a network's 'sticky' factor and increasing competitiveness.

The new laws require businesses to provide individuals with more information at the point they collect data than ever before and require consent to be explicit, ie, not buried in the terms of use, but clearly and concisely brought to each user's attention and obtained by way of a positive act. Online providers will struggle to implement these requirements without negatively impacting the user experience by introducing multiple pop-ups and text boxes.

One further concern about the new regime is that, in order to try to maintain consistency across Europe, power is conferred on the EC, which is in turn advised by a new body called the European Data Protection Board, comprised of representatives from the national regulators (essentially, the same as the current Article 29 Working Party). Important decisions, codes and opinions may therefore be authored and approved by public bodies with little input from the industry, potentially producing unworkable results.

While the EC's statement emphasises there will be increased powers for national regulators, this is at odds with these consistency mechanisms. In the UK, where we are used to the balanced approach of the Information Commissioner's Office, this could come as a shock.

Finally, there are a significant number of prescriptive bureaucratic requirements that companies must implement in order to demonstrate that they have adequate controls in place to ensure compliance. These include requirements to hold detailed documentation, conduct privacy impact assessments and implement policies and processes that ensure privacy by design and default. All businesses with more than 250 employees have to appoint a data privacy officer, and those outside the EEA must appoint a local representative.

The regulation is applicable to all businesses that offer goods and services to, or monitor, European residents. That means that non-Europe-based online providers with no assets or physical presence are clearly subject to the rules. Many had (perhaps incorrectly) taken the view that they were not subject to the old regime.

The impact on the online world will depend on whether some of these more controversial requirements are further diluted before the regulation comes into force, how they are interpreted by guidance and whether they will be strictly enforced in practice. If the proposed penalties of up to 2% of global turnover are not enforced effectively against overseas businesses (enforcement requiring the co-operation of overseas law enforcement bodies), online businesses may choose to relocate outside the EEA.

The online giants may have said little publicly about the proposals but, given that Facebook alone claims to have created – indirectly – 232,000 jobs in Europe and enabled more than $32bn (£20bn) in revenue, the economic reality is that, at the moment, Europe needs their investment more than ever.

Gail Crawford (pictured) is a partner specialising in data protection at Latham & Watkins' London office.