The EU’s justice and rights commissioner, Viviane Reding has recently warned that the U.S. needs to adjust its surveillance programs or risk freezing its data sharing arrangements with the EU. The statement is part of an ever-tightening regulatory framework emerging from the European Union, with significant capacity to affect US companies, interests and agencies who work with and collect data in Europe and about European citizens.
The current EU proposal regarding privacy reform aims to alter the well-entrenched 1995 EU Privacy Directive. The 1995 Directive has been criticized as being out of date due to the rapid development of technology and massive increase in online use of privacy information. The current status of the EU proposal reflects these concerns as well as the need to increase privacy protection for individuals. Protecting the interests of private European citizens is particularly evident. The original proposal (prior to the recent approval and slight alterations by the European Union Committee on Civil Liberties, Justice, and Home Affairs) aimed to include:
• A single set of rules on data protection, valid across the EU. Unnecessary administrative requirements, such as notification requirements for companies, will be removed. This is estimated to save EU businesses around €2.3 billion a year.
• Instead of the current obligation requiring all companies to notify all data protection activities to data protection supervisors – a requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the Regulation provides for increased responsibility and accountability for those processing personal data. For example, companies and organizations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours).
• Organizations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU. Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed.
• People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). This will improve competition among services.
• A ‘right to be forgotten’ will help individuals better manage data protection risks online: each individual will be able to delete their data if there are no legitimate grounds for retaining it.
• Notably for a US audience, EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.
• Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company.
• A new Directive will apply general data protection principles and rules for police and judicial cooperation in criminal matters. The rules will apply to both domestic and cross-border transfers of data.
The European Union Committee on Civil Liberties, Justice, and Home Affairs (LIBE Committee) recently approved an amendment to the 1995 Directive, but altered some of the proposals outlined above (specifically the “right to be forgotten” was replaced by a narrower “right of erasure”). The “architecture and the fundamental principles” were given “strong backing” by the LIBE Committee, and thus remain intact. The current proposal can be viewed here. A more concise overview of the differences between the Commission Proposal and European Parliament Vote can be seen in the European Commission – Memo here.
Implications for US Access – Safe Harbor
Because the new policy would apply to any companies handling EU persons’ privacy information, it has potentially serious implications for US business operations in the EU. One likely concern for US business results from the large fines which can be imposed to companies who violate the policy. However, the European Commission recently stated that it would not suspend the safe harbor agreement between the US and the EU, although it may tighten up the existing agreement. Currently, it appears that US companies would still be able to opt into the safe harbor program despite these amendments to the 1995 Directive.
The current structure of the safe harbor agreement, however, is under increasing pressure. Many of the EU concerns with US privacy violations appear to focus on the US government’s intelligence collection programs, rather than individual businesses and general data sharing per se. The challenges articulated here relate to business because of the ability of the US government to access the privacy data gained legitimately by US companies through the safe harbor program.
Given that the European Commission has stated they do not plan to suspend the safe harbor program, but recently made “13 recommendations to improve the functioning of the Safe Harbour scheme,” the ability of US companies to gather privacy data in the EU appears uncertain (because of the EU concern with US government surveillance programs), but not completely threatened. Future restrictions will likely become stricter but will depend on the coming developments in the European Parliament regarding the EU data proposals and the EU-US safe harbor negotiations.
Further changes are clearly afoot on multiple data protection fronts in the European Union. The 1995 Directive changes are merely one small step in a broader regulatory, judicial and political set of moves some of which have been reported here. All are clearly relevant to both US business and security interests, and we retain a watching brief.