European Data Protection Reform – What you should know.

If your company touches any Europeans’ data you’d better prepare for what’s coming.

The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

EU regulation vs. U.S. laws: a matter of cultural bias?

The consolidated version of the EU commission´s proposal for a General Data Protection Regulation following the LIBE Committee vote of October 21, 2013 differs fundamentally from the U.S. approach to the protection of personal data. “Whether one approach is better than the other, is a question of data protection culture. You might think that these are two extremes. On the one hand you have very restrictive regulation with higher fines, which are in my opinion over the top. On the other hand, there is so much leeway under the U.S. data protection laws that you can do almost anything as long as it’s not specifically prohibited.” observes Andreas Leupold, the German IT attorney recipient of the “Lawyer of The Year 2013” award who advises clients across Germany, England and the U.S.

Material Scope: Unlike U.S. data protection laws, which are tailored to specific industries and are therefore sectorial in nature, the EU regulation resumes the omnibus approach of the Directive 95/46/EC that it will eventually replace. The regulation therefore principally applies to the processing of personal data irrespective of the legal entity holding such data and regardless of which type of personal data is being processed.

Territorial Scope: Whereas the U.S. data protection laws only apply to data processed on American territory, the regulation will apply to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU and provided that the processing activities are (a) related to the offering of goods or services to such data subjects in the EU or (b) related to the monitoring of such subjects.

Lawfulness of Processing: While the U.S. principally permits the processing of personal data as long as it is not specifically prohibited by any particular law, the EU regulation always requires a legal basis for the collection and use of personal data such as the data subject´s consent, the need to process personal data for the performance of a contract or other regulated activity.

Data Exports: Unlike U.S. law, the regulation puts strong ties on data exports to third countries, including the U.S. and permits such exports to countries outside of the EU only if the respective country offers an adequate level of protection, or the controller or processor has adduced appropriate safeguards such as the application of binding corporate rules (BCR), the new European Data Protection Seal or standard data protection clauses/contractual clauses adopted by a supervisory authority.

It is evident that the U.S. and Europe approach privacy regulation differently. The U.S. has adopted a sectorial approach, while the European Union has adopted a blanket approach. In some cases, such as with HIPAA / HITECH, it could be argued that U.S. privacy regulations are more restrictive than those in Europe. Looking broadly, European privacy regulation tries to create a uniform level of understanding of privacy. This is different than in the U.S. where most privacy obligations are creatures of contract – the theory being that it is the user’s choice whether to provide personal information or not. It is on this point that debates often center: whether it is better to adopt a regulatory approach, as in Europe, or a hybrid approach as in the U.S.

“People tend to look at regulations with their cultural blinders on” says David Snead, Internet attorney and co-founder of the Internet Infrastructure Coalition – Washington D.C. That tends to really be the case with privacy regulation. Depending on your viewpoint, the U.S. view of privacy regulation is better in that it is designed to encourage commerce and it is more targeted than the European. Now, the European privacy advocates would disagree and claim the European view is better because it provides more clarity. It facilitates commerce by providing a relatively uniform standard.

“What I tell people is to remove their cultural blinders. No particular regulation is better or worse. You have to comply with both. [IT security professionals] stop complaining about how difficult they are, one side or the other, and buckle down and do it.”, continues Snead.

From the U.S. perspective it means that it is very important to know where are your customers, what industry sectors they are in, who your target customers are, and if your customers are in an area that is specifically regulated by the U.S. then you know what the compliance validations are. From a European perspective, U.S. companies and European companies need to look at it from the perspective of “Are you processing data that originates in Europe?” If you’re processing data that originates in Europe, and your customer is a European entity, then they’re going to want you to maintain certain standards, and you need to figure that out.


Next: The 100 million euro fine – Outrageous sanctions set a disturbing precedent.

CREDITS

Dr. Andreas Leupold LL.M.

IT-Law, Outsourcing, Cloud Computing, Data Protection & Data Security.

Munich, Germany

David Snead

Internet Attorney and co-founder of Internet Infrastructure Coalition

Washington D.C. Metro Area

Paolo Balboni

Founding Partner at ICT Legal Consulting

Milan Area, Italy