European Data Protection Reform – How to prepare for what is coming
May 7, 2014 2 Comments
If your company touches any Europeans’ data you’d better prepare for what’s coming.
The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.
How to prepare for what is coming
U.S. companies who market goods and services to European consumers should not wait for the regulation to enter into force. You should act promptly to avoid the disruptions and the liability resulting from an untimely implementation of these new rules.
At a minimum, your checklist should include:
- set up a task force responsible for enabling the board of directors to implement the new regulatory framework in a timely manner
- determine what personal data the company processes and for what purposes
- ensure that personal data is collected and processed to the extent permitted by the regulation and in full compliance with the data subjects’ rights to access, rectification, erasure – a.k.a. “right to be forgotten”, and portability of their personal data.
- ensure that the company´s privacy terms and customer consent are not part of general terms and conditions or end user license agreements but provided in a separate document. Make sure these terms and any customer consent agreement fulfill the stipulations of the regulation.
- set up a breach notification process and incident reporting system designed to detect any unintended disclosure of personal (customer) data,
- implement independent and periodic reviews of the company´s data protection and data security processes
Even though there is no final text yet, you should not wait until 2015 or later to set up a task force. Look at the latest proposal and have it examined by your IT and legal departments and by your attorney. And define your strategy on how to become compliant whenever the regulation is enforced. Privacy terms in particular are a really important aspect that almost all company has to take into consideration. Many U.S. companies have privacy terms that are part of licensing agreements or general terms and conditions but fail to provide clear wording on what data is processed, by what entity, and for what specific purpose. This is not going to work, as it is already not compliant under the EU directive 95/46 and the various national member state laws. In addition, you need to compile a checklist based on the provisions in the regulation to comply with the newly introduced rights of the data subject. If you are looking for a three step approach: 1) set up a task force, 2) revise the privacy terms and your declarations of consent, 3) make sure you are fully compliant with all the obligations provided by the regulation. Then you should be on the safe side.
According to Leupold “It is very important for the CIO to take the lead. It’s not so much us lawyers. You have to implement an incident reporting system so you know what’s going on, and you have to have a reliable breach notification process in place. If you don’t have a solid one, you’re really not in control of the personal data of your customers. And you are not in compliance.”
U.S. companies should remain flexible in their operations. The privacy regulations may in fact add more stability to European operations by creating a uniform standard. While the situation remains in flux, U.S. companies should anticipate that Europe will continue to assert jurisdiction over data related to its citizens regardless of where that data is stored, and regardless of whether a provider has assets in Europe. An understanding of the European view of privacy, and of regulation in general, will help facilitate that understanding. Snead believes that “It is important for all non-European companies, including U.S. companies, to view the European privacy regulations from a positive viewpoint. Doing so will make compliance less burdensome.”
Previous: Should you worry yet?
IT-Law, Outsourcing, Cloud Computing, Data Protection & Data Security.
Internet Attorney and co-founder of Internet Infrastructure Coalition
Washington D.C. Metro Area
Founding Partner at ICT Legal Consulting
Milan Area, Italy