Changes in EU Privacy law

Since implementation of Directive 95/46, U.S. companies receiving data about EU nationals have been required by their customers to comply with the U.S. Safe Harbor standards, or, more recently, to agree to binding contract principles if they had not qualified under the standards.  In January 2012 a new draft privacy regulation was presented for discussion by the European Parliament and the EU Member States meeting in the Council of Ministers.  While there may be significant changes to the draft regulation, U.S. companies would be advised to begin to start aligning their operations with the fundamental principles of the new regulation to avoid being caught flat footed when it is implemented, in 2014 or 2015.

The new regulation stems from the ratification of the Treaty of Lisbon in 2009.  The treaty creates closer integration among the member states.  In the past, EU foundational documents were designed to begin to align the laws of countries with vastly different legal systems and cultures.  While this alignment is far from complete, the treaty establishes a more unified group.  It’s this desire for tighter integration that is moving the new regulation forward.

One of the fundamental differences about the new regulation is that it is in fact a regulation.  The prior privacy law was in fact a directive.  What this meant was that each of the EU member nations implemented the directive into their own laws.  This meant that each country had a variation on the directive.  While this didn’t typically affect U.S. companies, it essentially created a patchwork of privacy laws.  The new regulation, when passed, will be directly applicable to all member states without the need for legislative action.  In essence, the EU will have a uniform privacy law.

There are a number of important concepts in the new regulation.  For companies looking at operations down the road, a few concepts need to be anticipated immediately:  the “right to be forgotten,” and the right to “data portability.”  Each of these concepts will require changes to corporate or network operations in order to comply with the regulation.  These changes likely can’t be made on the fly, and their impact needs to be anticipated now.

The right to be forgotten is arguably one of the most controversial aspects of the new regulation.  In essence it gives data subjects the right to obtain erasure of a vast majority of information contained in any publicly available communication service.  The implication of this right for infrastructure providers cannot be overstated.  In essence, upon request, any entity having a copy of this type of data will be required to purge it from their networks, and instruct those to whom the data was also sent to do the same.  Given the fact that most infrastructure providers have complicated networks, the number of entities having to delete data is great.  As it is, most infrastructure provider’s contracts don’t give them the right to demand this act, much less ask for written evidence that it has taken place.  Since the right to be forgotten is considered to be a fundamental right, infrastructure businesses would be wise to start incorporating this right into their contracts immediately.

Like the right to be forgotten, the right to data portability will have a significant impact on infrastructure providers.  This right requires data processors to make an individual’s data available to them in a manner that allows them to transfer it to other providers.  Since many infrastructure providers format data in a proprietary manner, this right will require a change to network processes.  Since infrastructure providers will likely not receive the data portability request directly, but rather through their customers, their networks will need to be engineered to facilitate customer’s contract requests that data be portable.  Like the right to be forgotten, this requires a change in contracting processes, in addition to network configuration.  It may also require a deeper dive into the data formatting processes of vendors.

Other issues that bear consideration are those that require entities directing their marketing efforts at the EU, but who don’t have operations there, to appoint an agent in the EU to accept responsibility for their compliance with the regulation.  This aspect of the regulation has the potential to significantly affect the ability of non-EU companies to sell into the EU.  It is hard to imagine that an individual will agree to take full responsibility for a foreign company’s compliance with EU laws at a price that allows the company to do business in the EU.

The serious nature of the new regulation is evident in its penalty scheme.  Violations of the regulation can incur penalties of up to $1 million Euros or 2% of the global turnover of the enterprise.  Current penalties are not nearly this steep.

While the US’s “Safe Harbor” program still applies, and will likely continue to do so, companies need to anticipate that these changes will likely make their way into this program.  Given that the U.S. is such an attractive market to EU companies, US companies who take into consideration the impact of the regulation on their business will have a leg up on their competitors in attracting EU business.

About David Snead

David Snead is a lawyer whose practice is focused on internet infrastructure providers. In his eleven years in this practice, he has represented clients including multinationals, middle tier hosting companies, and two guys, a server, a T-1 and a huge MasterCard balance.

A long-time WHIR contributor, David Snead is the Web hosting business's best-known legal expert. Through his WHIR blog, he offers a credible legal perspective on both specific actions in the Web hosting business and general developments in legislation.