Thoughts on the EU data protection regulation and Joomla
In January 2012, the European Commission announced two important pieces of legislation affecting the personal data of EU citizens: the EU data protection directive and the EU data protection regulation. Of the two, the data protection regulation will have the greater effect on most businesses that collect, hold or share data within the EU.
Difference between a Directive and a Regulation
When an EU directive is agreed upon, all member states are required to pass their own legislation to enact the content put forward. Companies and businesses in a member state that do not undertake this step are not mandated to comply with the directive.
An EU regulation applies across all member states without any member having to take further action. As far as the UK is concerned this proposed data protection regulation would be a reform of the current UK Data Protection Act (DPA). Whether this is an ‘improvement’ or not to the UK regulations is perhaps still open to general debate.
The impending data protection regulation
The overall theme of the proposed data protection regulation conveys that all personal data should be treated fairly and transparently. The proposal states, “The specific purposes for which the data is processed should be explicit and legitimate and determined at the time of the collection of the data. The data should be adequate, relevant and limited to the minimum necessary for the purposes for which the data is processed; this requires in particular ensuring that the data collected is not excessive and that the period for which the data is stored is limited to a strict minimum.”
In addition, the new regulation is intended to give consumers easier access to their own data, and the right to have their data deleted or “forgotten” from any systems. There is an impact here on 'backup' and 'archived' data as well which has to be considered.
Under the new regulation, businesses and companies that suffer a serious data breach will be required to notify their member state supervisory authority within 24 hours, if possible. Businesses and companies that are breached may also have to pay fines of up to 2% of their total revenues. [For a lot of Joomla sites this may well be very minimal but should not be ignored.] The recent ‘LinkedIn’ hack could have proved very expensive were the regulation applicable, even though it is not based on Joomla to the best of out knowledge.
If the proposed data protection regulation is passed, it will become a mandatory compliance regulation throughout all of the EU. It is not yet clear when (or even if) the proposed data protection regulation will become law, or if there will be any changes to the regulation before it becomes law, but if it does then it is likely to come into force sometime between 2013 and 2015. With a total of 91 articles, the proposed data protection regulation is quite extensive so requires a lot of reading time, perhaps it is just as well we have a few years.
Impact for Joomla driven sites
Depending upon the additional components installed upon a site, the Joomla installation ‘out of the box’ really only holds very limited information on registered users: i.e. a name and an email address, unless the additional profile fields are configured, and additional information is provided for ‘contacts’. Third party installed extensions may/will also hold additional personal data, and the thought here is of social sites with forum and blog users, but also ‘sales’ driven sites being impacted.
It is sensible that certain common sense rules should be adopted which would include:
Obtaining user consent -- Ensure consent is obtained from all users for all processing that is undertaken on the user data the company or site collects. The site ‘Terms and Conditions’ should be prominently displayed and an agreement box provided for acceptance.
Third-party relationships -- Under the new data protection regulation, it will be especially important to control the data flow between a company or business, and the third parties with which it works, such as suppliers. This could/would be taken to also include affiliates with whom information is shared. One interpretation of the proposals by James McCloskey, senior research analyst for the Ontario-based Info-Tech Research Group, is that: “If there is a violation, that liability is going to accrue directly to your company regardless of what third party you involved”. McCloskey has also said. “You may have some opportunity to sue them later, but ultimately, it’s your brand and your responsibility.”
Anonymising data -- Remove identifying data in all cases (such as birth dates) where such data is not relevant or necessary. This may include masking or scrambling the data. [This would also include any newsletter generation software where data may be used for mass marketing. Especially where it might be using for example a birth date to offer a special discount on a product.]
Encrypting data based on a separate key for each user -- Consider either providing the encryption key, or permitting users to use their own keys. This is an area where we are not aware of any current extension for Joomla using encryption, although the underlying MySQL database does offer encryption routines. Extensions would need to implement an additional ‘layer’ into their extension to any database access of the data or there would need to be some changes to the Joomla Framework such that the extension could then make some leverage. Either way we can see extension writers having to make code changes!
Personal data is the one asset that leads a high valuations of a business as shown by the recent floating of Facebook. How that data is managed and controlled adds directly to the ‘value’. The reason is self evident in that the existing data can lead to further up-selling, more targeted promotions, and other campaigns that are intended to increase business revenues.
The data protection regulation tries to set out the citizens’ rights with the aim of encouraging businesses to provide that environment.
As the ancient Chinese curse of Confucius that reportedly states: "May you live in interesting times", it looks like in the area of EU Data Protection that is certainly likely to come true.