International Internet Laws – Part II

International internet laws are relevant to e-commerce and online transactions in many ways. There are many international rules and regulations that can affect electronic commercial transactions – i.e., e-commerce transactions. For example, the European Union has issued multiple directives that are set to regulate international policies. These directives outline the legislative minimum standards for all member states. Therefore, it is important to understand the parameters in order to properly advise clients who conduct international business.

Data protection and privacy has been an important issue on the national and international levels. So, for example, the European Union’s Data Protection Directive (EU Directive No. 95/46/EC) has set out the data protection and privacy parameters. It prevents the transfer of personal information to foreign nations without adequate protection. It has outlined several important principles to properly safeguard personal information.  These principles include collecting personal information for a legitimate purpose, informing the individuals about data collection, granting access to the individual’s personal data, giving the individuals the right to access, modify, or delete their personal information, and providing proper remedies in case of violations. This includes the “Right To Be Forgotten” rule which grants individuals the right to delete personal information from internet records.

The EU Data Protection Directive has also addressed cookies by requiring website operators to obtain the visitor’s consent for using cookies on their platforms. This requirement forces website operators to provide notice to all visitors about using cookies and to request formal consent.

In 2018, the European Union replaced the Data Protection Directive with the General Data Protection Regulation (“GDPR”).  This new regulation automatically applies to all member states without implementing national legislation. It broadly defines personal data as “any information relating to an identified or identifiable natural person.” It does not mention or address “anonymous” information but considers any kind of data that can be linked to a natural person to be subject to its rules. Its scope extends to data controllers and processers inside and outside of the European Union as long as their activities are related to the purchase or sale of good and services to European Union residents. It requires data controllers and processors to assign a Data Protection Officer (“DPO”) who has the necessary background and experience in data protection laws. It holds data controllers and processors accountable by imposing protocols. First, they must maintain certain documents in their records. Second, they must conduct data protection impact assessment for riskier processing. Third, they must implement data protection by design and default such as minimizing data in their records.

The GDPR imposes strict rules when it comes to data subject’s consent. In other words, data controllers and processors must obtain the user’s consent before they collect personal information. Moreover, the user has the right to retract consent at any time. It sets out certain protective measures for children. It also emphasizes on transparency when it comes to privacy policies – i.e., the website must be honest and forthcoming about its privacy policies and procedures at all times. It has strict guidelines for data breach notification and grants the right to each member state to establish an independent supervisory authority to investigate complaints. All in all, it can be argued it is a comprehensive international regulation.

It’s important to know your legal rights and responsibilities when it comes to international internet laws and e-commerce transactions. Please contact our law firm to speak with an international internet attorney at your earliest convenience.