European Union Proposes New Online Privacy Regulations

Early in 2012, the European Commission proposed a reformation of the European Union’s data protection rules.  The European Commission sought to strengthen online privacy rights and improve Europe’s digital economy. The European Commission pointed to expansive globalization and different levels of implementation by the EU’s 27 member states as reasons to seek uniform online privacy rights. Indeed, each member state has different standards of enforcement for the rules. This leads to expensive administrative costs in maintaining and continuing to implement the different standards. The European Commission predicated that a uniform law across the European Union would lead to savings of approximately 2.3 billion Euros a year. In addition, with a clearer set of regulations to govern data protection, the European Commission hoped to instill more confidence in consumers in online services, leading to a growth in jobs and innovations.

What Were the Terms of the 1995 Data Protection Directive?

The 1995 Data Protection Directive was adopted to regulate the processing of personal data among European Union member states. This Directive has a broad definition for “personal data,” including “any information relating to an identified or identifiable natural person.” Also, the standards within the Directive apply only if the entity controlling personal data is established within the European Union or uses equipment located therein. The standards prohibit the processing of personal data without transparency of purpose, a legitimate purpose, and proportionality. In terms of the requirement for proportionality, a controller can process personal data only to an extent necessary to its purpose—it cannot store that data for a potential future purpose.  However, the 1995 Directive fails to take into account the implications of social networks and cloud computing on online privacy.

What Are the Terms of the New Data Protection Regulations?

The new regulations will extend to include all companies that process EU residents’ data, including those companies that operate from any EU member states or elsewhere. Failure to comply with the strict standards can lead to penalties of up to 2% of the company’s worldwide profits. Amendments to the original version have increased this penalty to 5%. The European Commission defines “personal data” as “anything from a name, photo, email address, bank details, social networking website posts, medical information, or a computer’s IP address.”  This is a much more specific definition.  Companies must seek express, valid consent before they can collect personal data.  When dealing with children under the age of 13, a child’s parent or guardian must give consent. In March 2014, the EU also adopted a new amendment—the Right to Erasure.  This provides consumers the right to ask data providers to erase their personal data from their records. However, the consumer will need to demonstrate a substantial need for the erasure.  For example, that the content is unlawful or that the subject’s rights outweigh the right to freedom of information. The proposed regulation was released on January 25, 2012, and several amendments have been proposed since. The European Commission hopes to adopt a final version by late 2014. The regulations will then be in effect after a two-year transition period. This time will allow companies and individuals to take steps to abide by the new rules.

At our law firm, we help inform our clients about both domestic and international internet and privacy regulations. You may contact us to discuss with an attorney how the new standards may affect your rights.