European Data Privacy Compliance

BY: ELLIOT WEISS

October 24, 1995 marked the official publication of Directive 95/46/EC of the European Parliament, a regulatory framework for the protection of individuals with regards to the processing of personal data and the free movement of such data. The regulatory text under directive (30) provides, “whereas, in order to be lawful, the processing of personal data must be carried out with the consent of the data subject or be necessary for the conclusion or performance of a contract binding on the data subject.”[1. University of Iowa, Common Position (Ec) Adopted by the Council on February 20, 1995 with A View to Adopting Directive 94/ / Ec of the European Parliament and the Council on the Protection of Individuals with Regard to the Processing of Per, 80 Iowa L. Rev. 697, 703 (1995).] The European Union Data Protection and Privacy Directives have issued additional regulations over the years, such as Directive 2009/136/EC. This directive, often referred to as “The Cookie Directive,” requires that first or third party cookie dropping for advertising, or retargeting purposes, provides a higher degree of transparency, disclosure and opportunity to opt out.[2. Peter F. McLaughlin, Complying with the EU Cookie Directive for Email Communications, 17 No. 5 Cyberspace Law. 23, (2012).]

Since 1995, the two primary requirements of the European Union Data Protection and Privacy Directives have been transparency and consent. Corporations must obtain the prior consent of website users in order to use and exchange their personal data.[3. Eric Pfanner & Kevin J. O’Brien, European Privacy Regulators Warn Google on Data-Gathering Policies, N.Y. Times, October 17, 2012 at B1.] Experts have made recommendations to companies such as Facebook, Google and other data processors that their privacy policies include explanations as to how users can control the storage of and access to cookies on their devices, specifically by referring to the user browser interfaces for further information. To perform in accordance with the European Union directives, it has been recommended that companies provide users with links, user-friendly directions and a mechanism for refusing to permit personal data availability.

Established in October 1995, the Article 29 Data Protection Working Party is an independent government advisory body on privacy, whose recent work has focused on search engine operators.[4. Paul M. Schwartz & Daniel J. Solove, The Pii Problem: Privacy and A New Concept of Personally Identifiable Information, 86 N.Y.U. L. Rev. 1814, 1883 (2011).] As the Data Protection Directive applies to businesses established in the European Union, application of the regulation to multinational corporations is not clear. In June of 2012, the European Protection authorities adopted a working document entitled, Binding Corporate Rules for Processors, issued by the Article 29 Data Protection Working Party.[5. Overview on Binding Corporate Rules, European Commission (Oct. 19, 2012), available at http://ec.europa.eu/justice/data-protection/document/international-transfers/binding-corporate-rules/index_en.htm.] The Binding Corporate Rules (“BCR”) are internal rules that apply to entities of a multinational company. These rules contain key legal principles, which cover the transfer of personal data from the European Union. BCR are internal codes of conduct, which cover data privacy and security. These internal codes of conduct are designed to assure clients of data processors that transfers made in relation to the performance of service agreements are adequately framed and protected in accordance with European Union protection laws.[6. Id.] The Article 29 Working Party provides a checklist, which describes the conditions that need to be met in order for a multinational data processor company to properly acquire and transfer client data under their third party agreements.[7. Id.]

Kamaal Zaidi’s piece, Harmonizing U.S.-EU Online Privacy Laws: Towards a U.S. Comprehensive Regime for the Protection of Personal Data, contrasts the European Unions’ approach to data protection with that of the United States.[8. Kamaal Zaidi, Harmonizing U.S.-Eu Online Privacy Laws: Toward A U.S. Comprehensive Regime for the Protection of Personal Data, 12 Mich. St. J. Int’l L. 169 (2003).] Zaidi sets forth the premise that “privacy regimes among various nations exist in either a comprehensive or sectoral fashion.”[9. Id at 171.] Under Directive 95/46/EC, the European Union employs a comprehensive approach, which requires all member states to implement adequate protection of person data used in commercial transactions. In contrast, the U.S. employs a sectoral approach that involves less privacy protections.[10. Id at 171.] This distinction means that U.S. companies engaging in online commerce with the European Union will face increasingly demanding compliance standards. If these standards are not met by a U.S. company, penalties can be imposed in the form of legal enforcement action.

On Wednesday October 17, 2012, The New York Times printed the headline, European Privacy Regulators Warn Google on Data-Gathering Policies.[11. Eric Pfanner & Kevin J. O’Brien, European Privacy Regulators Warn Google on Data-Gathering Policies, N.Y. Times, October 17, 2012 at B1.] Regulators warned Google that they must clarify what consumer information they gather and share with advertisers, or risk fines or other penalties by early next year. Demands were made that the company modify the global privacy policy for dozens of Google online services, such as YouTube videos and Android mobile phone apps, so that users have a clearer understanding of what personal data is being collected and how they can better control how their data is shared with advertisers.[12. Id.] The imposed transparency requirements under Article 10 and Article 11 of the European Union Data Protective Directive provide that online users (termed data subjects) have the right to be informed when a data processor company (termed the controller) records their information.[13. Official Journal of the European Communities, art. 31, Nov. 23, 1995, No L. 281.] Requirements provide that the data processor company must disclose their name, address, and reason for recording. If the data processing company decides to sell or provide user data to a third party, they must disclose who will receive the data.[14. Id.] While the increased compliancy costs placed upon U.S. companies will certainly be unpopular for multi-national corporations such as Google, the additional expenses are inconsequential relative to the level of business that Google conducts throughout the world. If the nature of raising money on the American money markets requires compliance with the public disclosure requirement set forth by the Securities Exchange Commission, then the task of operating within a global territory with more stringent data protection regulations can be viewed as a small corporate compliance tax for a company fortunate enough to command a large chunk of the technological marketplace.

Leave a Reply

Your email address will not be published.