Big changes are coming to data protection laws in the European Union. Are you ready?
On Saturday, the U.K. will begin to enforce the amended Directive on Privacy and Electronic Communications--better known as the E-Privacy Directive-which it passed last year. Meanwhile, all 27 member nations of the economic and political confederation are debating much broader draft legislation, introduced by the European Commission (E.C.) in January, which would reform and harmonize data protection laws across the E.U.
The E-Privacy Directive, which the U.K.'s Information Commissioner will begin to enforce on May 26, requires consent for all non-essential tracking of individuals as they traverse the Web, whether that tracking involves tags, cookies or other tracking technology. In other words, Websites must inform consumers in detail about any tracking that takes place on the site and obtain consent before proceeding with the tracking.
Updating the Data Protection Directive
Like many other European data protection laws, the U.K.'s implementation of the E-Privacy Directive is an outgrowth of the Data Protection Directive, adopted by the E.C. in 1995 and intended to apply a set of common rules and safeguards for personal data throughout the member countries of the E.U. But as a 'directive' rather than a 'regulation,' it was up to the individual member countries to implement specific laws.
In the 17 years since the E.C. adopted the Directive, E.U. member states have adopted a patchwork quilt of data protection laws that vary in both language and the penalties for non-compliance. For example, when it comes to the E-Privacy Directive, some of the member countries adopted opt-in laws, others adopted opt-out laws and still others have considered annual consent procedures.
In effect, organizations operating in Europe have had to deal with a dizzying array of laws governing the holding and processing of personally identifiable information (PII).
Additionally, the Data Protection Directive was drafted in the early days of the public Internet: Hotmail did not yet exist and the public had yet to know what the term "Google search" meant. The directive did not anticipate the changes to computing that would come from software-as-a-service (SaaS) and other forms of cloud computing.
"Currently, we have 27 member states in Europe, and each one of those member states have taken it upon themselves to create their own version of the Data Protection Act" says Jason Currill, CEO of Ospero, a provider of global hosting, infrastructure and platform services.
"Most of them are pre-cloud, based on the Data Protection Directive formulated in 1995. Everything has now changed. Geopolitical barriers have been smashed by the cloud. There are data privacy issues and data sovereignty issues that didn't exist back in 1995," Currill says.
In January of this year, the E.C. published a first draft of a new legislative package intended to both harmonize the data protection laws across the E.U. member states and update them to address the new technological reality.
"17 years ago, less than 1 percent of Europeans used the Internet," E.U. Justice Commissioner Viviane Reding, the E.C.'s vice president, said in a statement in January when the draft was released. "Today, vast amounts of personal data are transferred and exchanged across continents and around the globe in fractions of seconds. The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data. My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information. The reform will accomplish this while making life easier and less costly for businesses. A strong, clear and uniform legal framework at E.U. level will help to unleash the potential of the digital single market and foster economic growth, innovation and job creation."
Scope of the Data Protection Legislation
The new legislation is expected to have a substantial effect on all organizations that operate or focus on Europe, say Ulrich Bäumer and Stephanie Ostermann of the International Law Office, an online legal update service for companies and law firms worldwide.
Bäumer and Ostermann say the new laws, as currently written, would increase the regulatory burden on organizations with European operations; increase the amount of time, money and personnel required to achieve compliance; and raise the stakes in terms of potential fines and brand damage arising from non-compliance.
"The new law will apply to anyone processing data in the European Union, as well as those outside Europe which are offering goods or services to E.U. citizens," they wrote in a paper about the new regulation. "For a multinational organization, the location of its European headquarters will determine which E.U. member state's laws will apply and which regulatory authority will have jurisdiction. That said, individuals will be given a wider range of powers to bring personal action against an organization (either in the country where a non-compliant organization is located or in the individual's local courts). Trade associations will also be empowered to bring class actions on behalf of their members. For the first time, data processors will share equal responsibility and liability for compliance with the new laws, raising the stakes for IT service suppliers."