EU Data Privacy Laws: New Rules for Doing Business in Europe
Do you do business in Europe? Or, more precisely, does your business collect or use any data from European consumers? If so, mark May 25, 2018 in your calendar as that is when the General Data Protection Regulation (GDPR) comes into effect. Better yet, start preparing today, as you want to examine all your data handling procedures and processes to ensure you are in compliance.
The overarching goal of the regulation is to provide EU citizens more control over their personal information. They are able to access their data easier, move it to another service provider, delete it (if there’s no reason to keep it), or find if a company holding their data has been hacked.
Simultaneously, the regulation intent is to improve business innovation and create business opportunities. While many think regulation only makes business more complex, rules that clarify and homogenize numerous other regulations across the entire EU are, according to Andrus Ansip of the European Commission, “a major step towards a Digital Single Market ”.
Significant GDPR Considerations
- One set of rules
A single EU-wide law that covers all data protection requirements
- Data Protection Officer (DPO)
Large scale data operations and public authorities require a designated DPO
- One-stop shop
Businesses deal with one single supervisory authority (from the their primary country)
- Data protection by design and by default
Design and develop new products and services with data protection standards built-in from the start and default to privacy-friendly settings
- Removal of notifications
For most cases, obligations to notify the DPA (Data Protection Authority) are unnecessary. However, risk assessment and record-keeping requirements still exist for high risk situations.
EU-US Privacy Shield & Umbrella Agreement
As data protection laws vary country by country, there remains substantial confusion about the exact nature of laws handling data across borders. On a high-level, the GDPR summary states: “companies based outside the EU must apply the same rules when offering services or goods, or monitoring behavior of individuals within the EU .”
For US companies, look to the EU-US Privacy Shield, a framework for transatlantic exchanges of personal data. However, as of Feb. 1, 2017, the EU-US Umbrella Agreement, extends judicial redress protections before U.S. courts to individuals living in the EU. It’s an open question if these agreements will withstand Court Challenges, new Laws or Executive Challenges.
For example, one of the Trump Administration’s first actions was passing the Enhancing Public Safety order that stated: “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”
Many took this as breaking the Privacy Shield. However, the European Commission recently stated: “The US Privacy Act has never offered data protection rights to Europeans. The Commission negotiated two additional instruments to ensure that EU citizens’ data is duly protected when transferred to the US:
The EU-US Privacy Shield, which does not rely on the protections under the US Privacy Act.
The EU-US Umbrella Agreement, which enters into force on 1 February (2017). To finalize this agreement, the US Congress adopted a new law last year, the US Judicial Redress Act, which extends the benefits of the US Privacy Act to Europeans and gives them access to US courts.”
They did add though, that they will, “continue to monitor the implementation of both instruments”, indicating that we might not have heard the last of this complex issue.
- Prepare for data breaches
Create rules and processes, so if it does happen you’ll know what to do and limit the damage
- Build a Data-Safe culture
Develop policies, implement, train, monitor and assess.
- Build privacy by design
Have privacy in mind from the beginning of any new project
- Analyze your personal data processing framework
Is consent freely given, specific and informed? Or do you have legitimate interest in processing personal data that overrides right to privacy?
- Have clear and understandable privacy notices
- Be ready for citizen requests
Citizens have the right to be forgotten or to move their data
- Check your 3rd party policies, procedures and contracts
- Watch cross-border data transfers
Transferring private data to countries that don’t uphold the same data protections can end up in significant fines
As the world goes increasingly digital, our data footprint, and the ability to analyze it, is rapidly growing. Data protection laws, such as the GDPR, are important to protect us against micro-targeting, surveillance and other data transgressions.
They provide legal frameworks to guide data privacy procedures and help businesses understand their requirements and limitations. They provide clear legal ramifications for non-compliance and encourage techniques such as anonymization (removing personally identifiable information) and encryption (encoding messages so only those authorized can read it).
They also can cut costs, encourage innovation and increase consumer trust. Data protection laws are necessary building blocks to take full advantage of new digital opportunities, while retaining critical protections.