Big Changes Coming in EU Privacy Law

The European Union is about to make major changes in its privacy law that will have a significant impact on U.S. companies that do even modest amounts of business in Europe. On January 25, 2011, the European Commission (the EU’s executive branch) released a long-awaited Draft Regulation on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data. While it will likely be a year or more before a final Regulation takes effect, and there will almost certainly be amendments along the way, American companies should start paying attention now, since they may have to change the way that they do business in Europe. We at Robinson Bradshaw & Hinson, P.A. are doing our own detailed analysis of the Regulation, which we will be distributing soon in the next edition of our IP Newsletter. Here are some of the key issues we are examining:

• It is significant that the Commission is acting by Regulation rather than Directive (as was the case with the current privacy law, enacted by Directive in 1995). A regulation is top-down, imposed uniformly throughout the EU, whereas a Directive is adopted country-by-country, which gives individual nations the chance to make adjustments.
• The EU is taking a very aggressive approach to jurisdiction, or its authority to regulate—and impose penalties on—U.S. and other foreign companies that do business in Europe. The Regulation will cover all data processing activities (very broadly defined) by non-EU companies that are “directed to” data subjects in the EU.
• Data subjects (also broadly defined) will have significantly more rights than under current EU law. For example, the company will have the burden of proving that every subject has given consent for the processing of their data for specified purposes. Consent is defined as “any freely given specific, informed and explicit [emphasis added] indication of will,” and can be withdrawn at any time. The subject will also have a controversial “right to be forgotten and to erasure.” This means that when the subject withdraws consent or “the data are no longer necessary” for the purposes for which they were collected, the company must render the data inaccessible, including on the Internet.

These are just a few of the more important features of the 96-page, 91-Article Regulation. Elsewhere, it will create other new rights and responsibilities and reaffirm and/or strengthen many provisions of existing law, including the current restrictions on transferring data outside of the EU. The draft must now be reviewed by several Directorates of the EU Commission before being submitted for review and approval by the Parliament and Council. But while full implementation will take some time—more than a year in most estimates—the changes are so dramatic and far-reaching that U.S. companies doing business in Europe will require at least that much lead time to plan their compliance.