EU updates data protection rules
Data Protection Regulation expands EU's jurisdiction
March 26, 2012 at 08:00 PM
19 minute read
In 1995, AOL still charged by the hour for dial-up Internet access, Stanford Ph.D. candidates Larry Page and Sergey Brin were a year away from launching the research project that would become Google, and Mark Zuckerberg celebrated his 11th birthday. Fewer than 1 percent of European Union residents were Internet users.
That was the year the EU adopted its Data Protection Directive, which regulates the collection, processing and storage of personal information in Europe. Fast forward to the age of cloud computing, social networking and online behavioral advertising, and the antiquated rules were in need of a face-lift. After more than two years of consultations with industry, governments and individuals, on Jan. 25 the European Commission (EC) released its draft General Data Protection Regulation, an Internet-era revision that will replace the 1995 directive.
The proposed regulation takes rapid technological development and the dramatic increase of data-sharing and collection into account and tightens requirements, introducing a host of new concepts and new corporate responsibilities.
On Feb. 23, the Obama administration released its own framework for privacy protections, the Consumer Privacy Bill of Rights, which marks another step toward omnibus privacy legislation in the U.S. But traditionally, the EU has taken a much more stringent approach to data protection, and its new proposed regulation is no different.
The update presents big challenges to affected companies, but it also offers one huge improvement over the 1995 directive. While the EC has framed the new rules as a way to build a level of trust in consumers that will give Europe a market advantage, the real advantage for companies will be uniformity.
Streamlined Rules
While the 1995 directive instructed each of the 27 member states to incorporate and implement the requirements into law, the update comes in the form of a regulation, which overrides national laws. Companies no longer will have to deal with 27 different interpretations of the 1995 directive. There will be one set of rules, and companies will only work with the national authority of the member state in which the company has its main establishment.
“Having one centralized set of rules is a huge step forward,” says Mary Hildebrand, a member of Lowenstein Sandler.
Much of the EC's literature on the new regulation focuses on how the new certainty of the streamlined rules will spur innovation and make the EU a friendlier place for businesses that operate in the cloud.
That's yet to be seen, but it will make Binding Corporate Rules (BCRs) easier for companies to adopt as an alternative to the Safe Harbor mechanism for transferring Europeans' personal data to the U.S. Now, U.S. companies must satisfy just one data protection authority instead of the authorities in every country in which they operate.
“Right now BCRs are an option but extremely difficult to do—only about 12 companies have successfully done it,” says William Baker, of counsel at Wiley Rein. “My sense is the EU thinks BCRs can be an effective way to make data transfers, and it would like to streamline the process to make life easier for American businesses.”
New Challenges
While it offers important benefits, the 91 articles of the proposed regulation will present numerous new challenges for companies.
The regulation has expanded extraterritorial application: Companies that process EU residents' personal data are subject to the requirements if they offer goods or services to data subjects in the EU or if they monitor those subjects' behavior. Under the prior directive, the rules applied to companies only if they had some physical presence in Europe, such as an office, a data processing point or space in a server farm.
“You can see how this is really reaching its tentacles outside of Europe into the U.S. corporate world,” says Susan Foster, a member of Mintz Levin in London.
Companies without a physical presence in Europe now must appoint a representative in Europe—a person or company that “acts and may be addressed by any supervisory authority and other [EU bodies]” in the place of the company.
Companies with 250 employees or more would have to appoint a senior data protection officer in an auditor role.
“Only a small handful of very forward-looking companies have implemented accountability-type frameworks,” says Lisa Sotto, a partner at Hunton & Williams. “You can't underestimate how significant this change is going to be.”
Another new requirement creates what Foster calls “the toughest data breach notification requirements I'm aware of anywhere,” which requires companies to notify authorities of a personal data breach “where feasible, within 24 hours.”
The new regulation also raises consent standards, requiring companies to get explicit, rather than implied, consent to process personal data. It includes a provision that suggests consent would not be valid “where there is a significant imbalance between the position of the data subject” and the company, language Foster says is troubling.
One of the other major changes addresses fines for noncompliance. The new regulation gives national data protection authorities the right to impose fines totaling up to 2 percent of a company's global revenues. Previously, fines have been rare and low in this area given the scale of data processing in Europe.
Social Networking Rights
One of the regulation's most controversial new provisions is the right to be forgotten, or the right to “erasure without delay” of personal data upon request if there is no legitimate reason for keeping it. A related provision is the right to data portability, which gives users to the right to move their personal data and to obtain copies of it from companies that process it in a common format.
“I'm slightly worried that we might not have Facebook in Europe if this regulation actually goes into effect,” Foster says. “I think [authorities] have really underestimated the potential burden on these companies.”
Both provisions look burdensome in the context of social networking—imagine a request that a Facebook user's every post, “like” and photo tag be deleted or transferred to another service. Foster says that the final regulation might include something like a balancing test between the importance to the individual versus the burden on the company.
While there's still time for discussion and revision as the EC presents the bill for consideration to the European Parliament and European Council, the draft regulation already has been through two years of formal, extensive consultation (or comment) processes.
“Companies should probably assume that we'll end up with something pretty similar to what we have in the draft regulation,” Foster says.
In 1995, AOL still charged by the hour for dial-up Internet access, Stanford Ph.D. candidates Larry Page and Sergey Brin were a year away from launching the research project that would become
That was the year the EU adopted its Data Protection Directive, which regulates the collection, processing and storage of personal information in Europe. Fast forward to the age of cloud computing, social networking and online behavioral advertising, and the antiquated rules were in need of a face-lift. After more than two years of consultations with industry, governments and individuals, on Jan. 25 the European Commission (EC) released its draft General Data Protection Regulation, an Internet-era revision that will replace the 1995 directive.
The proposed regulation takes rapid technological development and the dramatic increase of data-sharing and collection into account and tightens requirements, introducing a host of new concepts and new corporate responsibilities.
On Feb. 23, the Obama administration released its own framework for privacy protections, the Consumer Privacy Bill of Rights, which marks another step toward omnibus privacy legislation in the U.S. But traditionally, the EU has taken a much more stringent approach to data protection, and its new proposed regulation is no different.
The update presents big challenges to affected companies, but it also offers one huge improvement over the 1995 directive. While the EC has framed the new rules as a way to build a level of trust in consumers that will give Europe a market advantage, the real advantage for companies will be uniformity.
Streamlined Rules
While the 1995 directive instructed each of the 27 member states to incorporate and implement the requirements into law, the update comes in the form of a regulation, which overrides national laws. Companies no longer will have to deal with 27 different interpretations of the 1995 directive. There will be one set of rules, and companies will only work with the national authority of the member state in which the company has its main establishment.
“Having one centralized set of rules is a huge step forward,” says Mary Hildebrand, a member of
Much of the EC's literature on the new regulation focuses on how the new certainty of the streamlined rules will spur innovation and make the EU a friendlier place for businesses that operate in the cloud.
That's yet to be seen, but it will make Binding Corporate Rules (BCRs) easier for companies to adopt as an alternative to the Safe Harbor mechanism for transferring Europeans' personal data to the U.S. Now, U.S. companies must satisfy just one data protection authority instead of the authorities in every country in which they operate.
“Right now BCRs are an option but extremely difficult to do—only about 12 companies have successfully done it,” says William Baker, of counsel at
New Challenges
While it offers important benefits, the 91 articles of the proposed regulation will present numerous new challenges for companies.
The regulation has expanded extraterritorial application: Companies that process EU residents' personal data are subject to the requirements if they offer goods or services to data subjects in the EU or if they monitor those subjects' behavior. Under the prior directive, the rules applied to companies only if they had some physical presence in Europe, such as an office, a data processing point or space in a server farm.
“You can see how this is really reaching its tentacles outside of Europe into the U.S. corporate world,” says Susan Foster, a member of
Companies without a physical presence in Europe now must appoint a representative in Europe—a person or company that “acts and may be addressed by any supervisory authority and other [EU bodies]” in the place of the company.
Companies with 250 employees or more would have to appoint a senior data protection officer in an auditor role.
“Only a small handful of very forward-looking companies have implemented accountability-type frameworks,” says Lisa Sotto, a partner at
Another new requirement creates what Foster calls “the toughest data breach notification requirements I'm aware of anywhere,” which requires companies to notify authorities of a personal data breach “where feasible, within 24 hours.”
The new regulation also raises consent standards, requiring companies to get explicit, rather than implied, consent to process personal data. It includes a provision that suggests consent would not be valid “where there is a significant imbalance between the position of the data subject” and the company, language Foster says is troubling.
One of the other major changes addresses fines for noncompliance. The new regulation gives national data protection authorities the right to impose fines totaling up to 2 percent of a company's global revenues. Previously, fines have been rare and low in this area given the scale of data processing in Europe.
Social Networking Rights
One of the regulation's most controversial new provisions is the right to be forgotten, or the right to “erasure without delay” of personal data upon request if there is no legitimate reason for keeping it. A related provision is the right to data portability, which gives users to the right to move their personal data and to obtain copies of it from companies that process it in a common format.
“I'm slightly worried that we might not have Facebook in Europe if this regulation actually goes into effect,” Foster says. “I think [authorities] have really underestimated the potential burden on these companies.”
Both provisions look burdensome in the context of social networking—imagine a request that a Facebook user's every post, “like” and photo tag be deleted or transferred to another service. Foster says that the final regulation might include something like a balancing test between the importance to the individual versus the burden on the company.
While there's still time for discussion and revision as the EC presents the bill for consideration to the European Parliament and European Council, the draft regulation already has been through two years of formal, extensive consultation (or comment) processes.
“Companies should probably assume that we'll end up with something pretty similar to what we have in the draft regulation,” Foster says.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllSEC Penalizes Wells Fargo, LPL Financial $900,000 Each for Inaccurate Trading Data
US Reviewer of Foreign Transactions Sees More Political, Policy Influence, Say Observers
Pre-Internet High Court Ruling Hobbling Efforts to Keep Tech Giants from Using Below-Cost Pricing to Bury Rivals
6 minute readPreparing for 2025: Anticipated Policy Changes Affecting U.S. Businesses Under the Trump Administration
Trending Stories
- 1'Largest Retail Data Breach in History'? Hot Topic and Affiliated Brands Sued for Alleged Failure to Prevent Data Breach Linked to Snowflake Software
- 2Former President of New York State Bar, and the New York Bar Foundation, Dies As He Entered 70th Year as Attorney
- 3Legal Advocates in Uproar Upon Release of Footage Showing CO's Beat Black Inmate Before His Death
- 4Longtime Baker & Hostetler Partner, Former White House Counsel David Rivkin Dies at 68
- 5Court System Seeks Public Comment on E-Filing for Annual Report
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250