International Data Protection and Transfer - EU
In the last two decades, the European Union has taken the lead in the area of data protection and privacy regulation and, broadly speaking, tended to impose requirements more strict than those found in most other jurisdictions. As a result, companies that are more accustomed to the regulatory regime in the US and many other jurisdictions outside the EU may be surprised by the compliance requirements they face in Europe.
Privacy regulators in Europe have aggressively enforced data protection laws, and the level of enforcement activity has continued to escalate. Those companies not vigilant in their compliance efforts face potentially substantial penalties and distracting investigations.
The challenges in the EU were increased dramatically in January 2012, when the European Commission promulgated a proposed Data Protection Regulation. Unlike the previous Directive, which allowed each of the member states to implement their own regulatory approaches so long as they were generally compliant with the Directive, the proposed new Regulation will be applied uniformly throughout the EU, and will also strengthen overall the regulation of data handling. The proposed Regulation remains subject to the EU’s legislative process (and faces aggressive lobbying for and against). While it may undergo changes before it becomes law, as published, it requires far more proactive compliance policies and procedures than currently required under the existing EU Directive. Data protection and privacy in the EU
EU data protection law governs the use of any data about private individuals, such as the customers of banks, subscribers to a telecommunication service, employees, users of a website, students in a university or passengers of an airline. Any information that concerns individuals (or which can be linked to individuals, even if they are identified by a code) falls under the scope of the regulations.
The EU regulatory framework encompasses two sets of rules: the data protection rules that govern the use of the data and the rights of individual data-subjects in respect of the data; and, the privacy in electronic communications rules that focus on the protection of privacy in the context of telecommunication systems. What do these rules protect against?
Data protection and privacy rules initially were introduced in response to the emergence of computerised information systems, and enhanced to reflect the order of magnitude changes brought about by the Internet. By allowing large volumes of data to be collected, stored and disseminated with great ease, these developments were viewed, particularly in Europe, as significant threats to individual privacy. The laws (which are not necessarily limited to data held through such systems) seek to prevent excessive use of such data, to introduce fairness and balance between the interests of those who hold and use the data and the data subjects, to prevent harassment of individuals (particularly through unwanted direct marketing or spam) and to allow people to have some control over their data and awareness of how it is used. How do data protection laws affect business?
The burden of compliance depends of course on the use businesses make of data about individuals. In some cases, compliance can largely be ensured by making a simple notification of data processing with the regulator. But businesses that interact with individuals (customers, subscribers, users, etc.) typically have to do more. Compliance must focus on the following areas:
Does my company have to comply with EU data protection and privacy laws?
- Direct marketing (particularly through electronic means)
- Data sharing/sales
- Data retention/cleansing
- Data security and data breaches (or loss)
- Transferring data out of the EU (which is tightly regulated)
The current rule is that any processing of data (collation, storing, dissemination, use, etc.) has to comply with the laws of each EU member state where the company controlling that data is established. A company that has no established presence in the EU also may nevertheless have to comply with the data protection laws of an EU member state if it uses equipment located in that member state to process data (save purely for transit purposes). EU regulators consider that when data is collated from EU internet users, the computer terminal of the user constitutes an equipment used by the controller for data processing, triggering the application of the national law.
The rules of privacy in electronic communications are less explicit in respect of cross border application. Again, the view of regulators in the EU tends to be that users of telecommunication services in the EU are entitled to the same level of protection by the law regardless of the location of the service provider. Accordingly, any use of the internet or the telephone network (including by fax or email) by any company, regardless of its geographical location, must comply with EU privacy laws insofar as it is directed at EU subscribers or users. These include rules regarding direct marketing and use of interactive technologies, among other issues. What can business expect from the new EU Regulation?
The new EU Regulation is meant to eradicate differences in policy between different EU member states, which would allow a business to design and implement a uniform compliance program for all Europe-related data processing activities. Further, the new Regulation will simplify matters in the sense that each company will only need to deal with one regulator (where it has its main place of business in the EU), rather than dealing with regulators in each EU member state where the company has an establishment (as the law currently requires). At the same time, however, the new Regulation would significantly increase the compliance burden, requiring a more proactive approach and an increase in the resources required to ensure compliance. The new Regulation also expands the jurisdictional reach of EU data privacy law by specifically applying the law to companies not established in the EU which offer goods or services to individuals within the EU or which monitor individuals within the EU.What is the status of the proposed EU Regulation?
The European Commission published the draft Data Protection Regulation in January 2012 after extensive public consultation. On March 12, 2014 the European Parliament overwhelmingly approved an amended version of the Regulation. Among the changes in the new Regulation approved by the Parliament was an increase in the potential fines for breach of the law from the greater of 1 million euros or 20% of annual worldwide turnover originally proposed by the EU Commission to the greater of 100 million euros or 5% of annual worldwide turnover. To become law the proposed Regulation must be approved by the European Council consisting of each of the 28 EU Member Countries. The Council is likely to require further amendments to the Regulations which will then be subject to negotiations with Parliament to arrive at a final agreed version within the next year.