GAMABrief:
Understanding the EU’s Data Privacy Reforms
The European Union (“EU”) is in the process of strengthening its di...
A	
  few	
  of	
  the	
  key	
  changes	
  (cont.):

•

Right	
   to	
   informaCon	
   and	
   transparency	
   – Compani...
Upcoming SlideShare
Loading in...5
×

GAMABrief: Understanding the EU’s Data Privacy Reforms

419

Published on

The European Union (“EU”) is in the process of strengthening its digital data privacy laws, the far-reaching effects of which will be felt by any United States company doing business in the EU. The latest move toward implementation of the General Data Protection Regulation (“Regulation”) occurred in late October 2013, when the European Parliament approved certain amendments to the current draft of the legislation. If passed, these amendments will further strengthen online data privacy and severely restrict the transfer of EU citizens’ personal data to non-EU countries.

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
419
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "GAMABrief: Understanding the EU’s Data Privacy Reforms"

  1. 1. GAMABrief: Understanding the EU’s Data Privacy Reforms The European Union (“EU”) is in the process of strengthening its digital data privacy laws, the far-reaching effects of which will be felt by any United States company doing business in the EU. The latest move toward implementation of the General Data Protection Regulation (“Regulation”) occurred in late October 2013, when the European Parliament approved certain amendments to the current draft of the legislation. If passed, these amendments will further strengthen online data privacy and severely restrict the transfer of EU citizens’ personal data to non-EU countries. EU’s  Privacy  Status  Quo Currently, the 1995 Data Privacy Directive (“Directive”) regulates data privacy in the EU, directing each of the twenty-eight EU member countries to create its own set of data privacy laws that comply with the Directive’s provisions. That means a company with customers in all twenty-eight member countries must learn and comply with the unique data protection rules of twentyeight different countries. To ease this burden, the U.S. Department of Commerce and the EU developed a Safe Harbor certification program under which U.S. companies that can demonstrate an adequate level of privacy protection are able to transfer personal data outside the EU without violating the Directive. To meet Safe Harbor certification standards, companies must implement privacy frameworks that abide by seven principles on topics like notice, choice and data security. Thus, even with the ability to obtain Safe Harbor Certification, U.S. companies operating in the EU must nonetheless pay special attention to the manner in which they handle personal data or face sanctions by governing bodies in both the United States and EU. The  Proposed  Overhaul The October vote moves the EU one step closer to overhauling the inconsistent patchwork of country-specific rules and replacing it with a single, uniform piece of legislation. The European Parliament is aiming to have the provisions of the Regulation fully agreed upon by May of 2014 and to take effect two years after that. This may seem like a long way off, but the anticipated changes are substantial and certain countries are already rushing to legislate their own stricter data privacy laws in the meantime. Companies should begin preparing for the changes now. Once in force, companies whose data privacy polices have not been updated to comply with the Regulation will be in violation of the law. The new Regulation acknowledges the vast changes brought about by the growth of the Internet—changes concerning how personal data is generated, stored, shared and viewed—and seeks to better protect the privacy of EU citizens. Influenced by this goal and in light of the NSA’s secret spying activities, the European Parliament has just voted overwhelmingly in favor of every proposed pro-privacy amendment to the latest draft of the Regulation. A  few  of  the  key  changes  included  in  the  amendments  are  discussed  below: • Right  to  deleCon,  data   access   and  correcCon – Internet users have the right to have their online data deleted. Upon request, companies—both big and small—must delete the personal data of the user and communicate the deletion request to any third party to whom they sent the data. Moreover, companies must clearly explain to users what they do with the user’s personal data and hand over the data upon request. • Informed  consent   – Users should be clearly informed about what happens with their data, and they must explicitly agree to such use. That means companies must provide users with easy-to-understand privacy policies and only track users if the privacy settings of the user’s browser clearly permit it. A  GAMA  White  Paper  produced  by  Chris4na  Gagnier  &  Emily  Poole                                            ©  2013.  Gagnier  Margossian  LLP.    All  rights  reserved.  
  2. 2. A  few  of  the  key  changes  (cont.): • Right   to   informaCon   and   transparency   – Companies must provide users with clear and easy-to-understand information on how their data is collected, used and stored and must inform users when or if the company transfers personal data to public prosecution authorities or intelligence services. • Data   transfer  to  non-­‐EU  countries – Companies may not transfer personal data of EU citizens to the authorities of a non-EU country unless the transfer complies with European law. This means that communication and Internet companies may no longer hand over data to U.S. authorities unless explicitly allowed by EU law or an international treaty. • IdenCfying  data   – All data which can directly or indirectly identify an individual, even if it comes from a mass collection of “Big Data,” must be protected. In this way, the Regulation is encouraging pseudonymized data that cannot be linked to other data. • Heavy  sancCons – Companies that violate the Regulation will face tough sanctions. Violations could result in fines up to the greater of 100 million euros ($137 million) or 5% of the company’s annual worldwide revenue. • Privacy   by   design – Companies should operate with a “Privacy by Design” mindset: develop and integrate privacy procedures into every level and aspect of their operations. Further, companies should minimize their data use and collection practices and implement the most data protection-friendly settings possible. In other words, companies should only collect data that is necessary for the functioning of their service. Users should also be able to use services anonymously or pseudonymously. • Data   protecCon  officer – Companies that regularly deal with personal data must appoint a data protection officer. The size of the company does not determine whether such an officer is required, rather the amount and relevance of the company’s data use and collection practices will make this determination. • Uniform  enforcement  of  the  rules – A European Data Protection Board will ensure the data protection law is applied consistently throughout the EU. In this way, companies may not avoid strong data protection laws by racing to those countries with weak law enforcement, nor will they be unwittingly subject to the more aggressive data enforcement practices of countries like Spain or Germany. Preparing  for  the  Change While the Regulation has not yet been finalized and certain provisions will likely be amended, companies can and should begin taking steps to prepare for the inevitable changes. First, companies should review their privacy policies to ensure they are accurate and up to date. Some policies may need to be re-written to comply with the requirement that they be clear and easyto-understand. Second, companies should appoint a Data Protection Officer. An existing employee may be able to absorb the role, or the company should consider hiring outside legal counsel to take on the position. Third, companies should conduct an audit to determine their strengths and weaknesses with respect to privacy. The results of the audit will help the company determine whether its privacy safeguards are sufficient and will reveal whether the company is collecting more data than necessary. Finally, companies should experiment with and test their privacy controls. Any errors or oversights could result in sanctions and/or substantial fines. For  more  informaCon  or  guidance  on  geOng  your  business  ready  for  the  new  EU  privacy  regulaCons,  contact  a  privacy  aPorney  at  Gagnier  Margossian  LLP. Internet Intellectual Property Privacy Social Media Technology The Good Stuff #nerdlawyers Los Angeles Sacramento T: 415.766.4591 F: 909.972.1639 E: consult@gamallp.com gamallp.com @gamallp San Francisco

×