Will the New European Data Protection Reform Affect Us?
The European Commission voted in March, 2014, to strengthen privacy rights promised by the European Union’s 1995 Data Protection Directive. The reform will change the law from a Directive to a Regulation, meaning it will be directly applicable in all of Europe without the need to wait for national implementing legislation.
The regulation will apply to any personal data handled abroad by companies that are working with the European Union (EU) market and/or offer their services to EU citizens. That means companies need to be aware of this new update, as well as the risk of non-compliance and harsher penalties potentially imposed under law.
The reform will change the law from a Directive to a Regulation, meaning it will be directly applicable in all of Europe without the need to wait for national implementing legislation.
U.S. companies that conduct business in Europe need to ensure that they have a legitimate reason for transferring personal information within or outside of the EU. Personal information is any data concerning a person’s private, professional or public life. It may be a name, a photo, an email address, bank details; posts on social networks, medical information or even a computer’s IP address.
Assuming your company has a legitimate basis for processing and using personal data, the EU Data Protection Reform regulation sets out three avenues to make your data transfers legal:
- Certify compliance through the U.S. Department of Commerce Safe Harbor registration. The European Union still recognizes that Safe Harbor registration is compliant with the EU law. For more information, consult: http://www.export.gov/safeharbor/
- Have appropriate safeguards in place to protect personal data within your company, including for example binding corporate rules approved by EU data protection authorities.
- Complete data transfers in clearly defined, specific situations which necessitate the transfer; for example as part of a legal, tax or competition investigation.
To comply, companies will need to show that their data processing is legitimate, and that they consistently monitor, review and assess the data processing procedures in place. The aim is to minimize the retention of data and build in safeguards for processing activities.
Company leaders should ask themselves these questions:
- What information is to be collected and where?
- Why the information is being collected?
- What is the intended use of the information?
- With whom the information will be shared? Is it shared with Europe?
- Is there a collection of information IT system affecting people’s data in Europe?
- How will the information be secured? What security controls or auditing processes exist?
- Do individuals in the EU have an opportunity to decline to provide information or give consent?
And if that is not scary enough, penalties under the reform for data protection violations will rise significantly depending on the seriousness of the offense, whether it is a repeat offense, if it is intentional, and whether the violator is a company with processing data as its primary activity. Sanctions may involve:
- A simple warning for a first non-intentional offenses when only engaging in processing as an ancillary activity.
- Regular data protection audits.
- A fine of 5% percent of annual worldwide turnover for certain serious acts committed intentionally or negligently.