(This blog is a follow-up to our previous post USA Patriot Act and Cloud Hosting: What You Need to Know. It focuses on the recent draft of data protection directives set forth by the European Commission in response to their outdated data privacy laws.)
As discussed in a previous blog, the USA Patriot Act reaches far beyond its own borders. The Patriot Act makes any data kept by a U.S. company, both within or outside the U.S., susceptible to a possible U.S. Government seizure or unwarranted search.
So, regardless of where it is stored, any data can be turned over to the government for inspection since the company storing the data is governed by U.S. law. As expected, this is a concern for European users who have data stored in a server that falls under U.S. law. This applies to most major cloud services like Amazon, Microsoft, Google and Facebook.
The blog finished by reminding readers that the European Commission would meet in January 2012 and clarify the Patriot Act’s reach within EU’s jurisdiction. A 15-year-old Data Protection Directive would be revised and every effort would be made to let EU data remain in EU jurisdiction with EU law taking precedence. This is the result of that meeting:
Welcome to the 2012 European Data Protection Regulation
On Wednesday, January 25th 2012, the European Commission, led by EU Justice Commissioner Viviane Reding, the Commission’s Vice President, proposed a reformation of the data and privacy laws that govern Europe’s 27 member states.
A press release highlights the key changes to the 1995 data protection laws currently in place. Reding’s passion is apparent in her fight to protect European users’ online personas, but she and the Commission seem to have missed the biggest point. Conspicuously missing is language intended to close the Patriot Act loophole that was foreshadowed in a leaked copy of the new law in November. Apparently along with the U.S. lobbying to remove any Patriot Act-killing directives (claiming the new laws “will break with international standards and might even end up being counterproductive for data protection,”) the European Commission has planted their focus squarely on data protection rights for the user.
In the press release, Reding explains the European Commission’s objective:
“The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data. My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information. The reform will accomplish this while making life easier and less costly for businesses. A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation.”
Reding assures that her proposals “will help build trust in online services because people will be better informed about their rights and more in control of their information.” And while her quotes do well to encompass the controversial new directives, it hasn’t alleviated the concerns of companies like Google and Facebook who remain on tilt with the new directives.
Key Changes to Current EU Data Protection Rules
Uniformity. No longer will Europe’s 27 member states review, enforce and discipline data laws separately – now a single set of rules on data protection will be enforced across the EU. It’s being called a ‘one-size-fits-all legal instrument’ that, among other things, paves the way for easier cross-border data transfers as well as saves EU businesses an estimated €2.3 billion a year by removing ‘administrative requirements’ and related costs.
Increased Responsibility and Accountability
Under the current data protection plan, companies are expected to notify all data protection activities to data protection supervisors. According to the press release, this requirement has ended up costing EU businesses around €130 million per year due to the ‘busy work’ involved in this reporting. The new Regulation refines this process with a few directives that impose more responsibility and accountability into processing personal data.
24 Hour Data Breach Reporting
Several articles cite the Sony PlayStation Network breach fiasco last April as an example. Around 77 million PlayStation users’ accounts were hacked and all of their user information harvested (contact details, purchase history, PSN passwords, security questions and answers, etc.). Yet it took nearly a week for Sony to let their users know. This reform demands notification to the national supervisory authority when any serious data breach occurs. And they want that information received as soon as possible. How quickly? Within 24 hours whenever possible.
A Single National Data Protection Authority
Keeping with the uniformity of the new reforms, organizations will deal exclusively with their own data protection agency to ensure enforcement of their own country’s law, even if the data is processed by a company outside of the EU. Now companies with multiple operations throughout the EU will look to the country where their headquarters is located as their data protection authority. For most U.S. companies this seems to be the UK. Users will also refer to the Data Protection Authority of their own country, even if their data is processed outside of the EU. In the same breath, when consent is required for data to be processed, this permission must be given ‘explicitly’ by the user, rather than be assumed by the company.
Exporting Personal Data
As previously mentioned, this single set of rules on data protection will allow easier access to personal data for EU users. With this control, users will have access to what will most likely be a type of content dashboard imposed on services like social networks to make relevant personal data available to users and allow them to ‘pick up and move’ their data elsewhere if necessary. It has been assumed that this change will improve competition among these types of web services.
The ‘Right to be Forgotten’
Reding has made it her mission to help people better manage data protection risks online and, while this directive is considered the golden child of the regulations for some, it is the most controversial for others. EU users can pull the plug on their data if they like, erasing all relevant data from a particular site if there are no “legitimate grounds” to keep it. It’s considered a particularly attractive addition as it would, at the user’s request, wipe your picture, profile, or any other data from a web site, search engine or social network. The possibility to completely delete your Facebook account could get easier though it seems unlikely how cooperative the social juggernaut or search engine titan, Google, will be.
EU Way or the Highway
Perhaps one of the only rules that come close to standing up to the U.S., this one makes it clear that in a situation where personal data is being handled by companies active in the EU yet governed from outside its borders, EU rules apply. This would affect all the big names like Twitter, Facebook, Microsoft, Apple, etc. operating in the EU and has left a bit of a sour taste in their mouths. Expect much bickering over this one…
Strict Punishments for any Violations
In an effort to enforce the new rules, Independent national data protection authorities will take on an important role within the EU. Companies with 250+ workers will be appointed a data protection officer that works as a liaison to the local data protection agency. This person would be empowered with reporting any data breaches as they come. The Independent national data protection authorities, in turn, can offer violation penalties of up to €1 million or ‘up to 2% of the global annual turnover of a company’.
2012 European Data Protection Directive
Where the Regulation deals with data rules for EU users, the Directive will deal with how law enforcement handles the user’s data. The rules governed by the Directive will apply to “both domestic and cross-border transfers of data”.
And so we see a strong argument for user control balanced with a stricter unity of the 27 member states enforcement of the data laws. The EU’s effort may restore consumer confidence in online services, but those offering the services don’t seem to be impressed with having their arm twisted by another country’s laws… (reminiscent of their feelings over our Patriot Act?)
Read the second and final part of this series The European Commission and Data Protection Laws: What You Need to Know (Part 2 of 2) that examines how the EU’s data law reforms will affect U.S. businesses, the U.S. response and tips for how to move forward.