On May 26, the UK will begin to enforce the amended Directive on Privacy and Electronic Communications - better known as the E-Privacy Directive - which it passed last year. Meanwhile, all 27 member nations of the economic and political confederation are debating much broader draft legislation, introduced by the European Commission in January, which would reform and harmonise data protection laws across the EU.
The E-Privacy Directive, which the UK's Information Commissioner will enforce, requires consent for all non-essential tracking of individuals as they traverse the web, whether that tracking involves tags, cookies or other tracking technology. In other words, websites must inform consumers in detail about any tracking that takes place on the site and obtain consent before proceeding with the tracking.
Updating the data protection directive
Like many other European data protection laws, the UK's implementation of the E-Privacy Directive is an outgrowth of the Data Protection Directive, adopted by the EC in 1995 and intended to apply a set of common rules and safeguards for personal data throughout the member countries of the EU. But as a 'directive' rather than a 'regulation', it was up to the individual member countries to implement specific laws.
In the 17 years since the EC adopted the Directive, EU member states have adopted a patchwork quilt of data protection laws that vary in both language and the penalties for non-compliance. For example, when it comes to the E-Privacy Directive, some of the member countries adopted opt-in laws, others adopted opt-out laws and still others have considered annual consent procedures.
In effect, organisations operating in Europe have had to deal with a dizzying array of laws governing the holding and processing of personally identifiable information (PII).
Additionally, the Data Protection Directive was drafted in the early days of the public internet: Hotmail did not yet exist and the public had yet to know what the term "Google search" meant. The directive did not anticipate the changes to computing that would come from software-as-a-service (SaaS) and other forms of cloud computing.
"Currently, we have 27 member states in Europe, and each one of those member states have taken it upon themselves to create their own version of the Data Protection Act" says Jason Currill, CEO of Ospero, a provider of global hosting, infrastructure and platform services.
"Most of them are pre-cloud, based on the Data Protection Directive formulated in 1995. Everything has now changed. Geopolitical barriers have been smashed by the cloud. There are data privacy issues and data sovereignty issues that didn't exist back in 1995," Currill says.
In January of this year, the EC published a first draft of a new legislative package intended to both harmonise the data protection laws across the EU member states and update them to address the new technological reality.
"Seventeen years ago, less than 1% of Europeans used the Internet," EU Justice Commissioner Viviane Reding, the EC's vice president, said inJanuary when the draft was released. "Today, vast amounts of personal data are transferred and exchanged across continents and around the globe in fractions of seconds. The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data. My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information. The reform will accomplish this while making life easier and less costly for businesses. A strong, clear and uniform legal framework at EU level will help to unleash the potential of the digital single market and foster economic growth, innovation and job creation."
Scope of the data protection legislation
The new legislation is expected to have a substantial effect on all organizations that operate or focus on Europe, say Ulrich Bäumer and Stephanie Ostermann of the International Law Office, an online legal update service for companies and law firms worldwide.
Bäumer and Ostermann say the new laws, as currently written, would increase the regulatory burden on organisations with European operations; increase the amount of time, money and personnel required to achieve compliance; and raise the stakes in terms of potential fines and brand damage arising from non-compliance.
"The new law will apply to anyone processing data in the European Union, as well as those outside Europe which are offering goods or services to EU citizens," they wrote in a paper about the new regulation. "For a multinational organisation, the location of its European headquarters will determine which EU member state's laws will apply and which regulatory authority will have jurisdiction. That said, individuals will be given a wider range of powers to bring personal action against an organisation (either in the country where a non-compliant organisation is located or in the individual's local courts). Trade associations will also be empowered to bring class actions on behalf of their members. For the first time, data processors will share equal responsibility and liability for compliance with the new laws, raising the stakes for IT service suppliers."
Cloud service providers would feel the impact
One of the new provisions most likely to affect non-European businesses attempting to do business in the EU, or European businesses seeking to use non-European cloud service providers, revolves around data transfer to non-EU countries. The extant data protection laws already prohibit data transfers to countries outside the EU that don't have data protection laws of the same strength as the EU's laws - the US for instance - unless specific compliance steps have been taken.
"Prospective EU customers of SaaS services face significant legal hurdles if they wish to make use of third-party vendor software that runs through a web browser and involves the hosting of the customer's data-including personal data-outside Europe," Graham Hann and Sally Annereau of Taylor Wessing wrote in a white paper commissioned by VMware and Ospero. They noted that the hurdles include security rules for diligence and oversight of outsourced processing, rules restricting exports of personal data outside of the EU and threats from overseas regulator 'long arm' requests for personal data.
"Concerns about the difficult in overcoming these hurdles, worries about compliance risks leading to regulator enforcement litigation and damage to reputation, coupled with uncertainty about the future shape of proposed EU law protecting personal data, has made EU business wary of switching to cloud-based SaaS solutions hosted outside of Europe," they say.
The proposed legislation would give organisations more options for dealing with this prohibition, specifically with regard to binding corporate rules (BCR), which govern multinational businesses.
Ospero's Currill says that he's in favour of the new legislation because it will give companies one set of regulations they must adhere to rather than the many different laws currently in place. Ospero has, in fact, already positioned itself to prosper from the EU's data transfer laws by taking a cue from the physical world's warehouse distribution model.
"A lot of these issues kind of go away if you just embrace the local culture that you're trying to do business in," Currill says. "The pitch to a German, to a French person, to an Italian, they're all completely different. The simplest thing to do is to embrace the local jurisdiction and embrace the local customer."
To do that, Ospero is marketing its data centres as "compliance hubs" that allow customers to operate in a country without the compliance issues involved in data transfer. Essentially, Currill says, customers host an image of their application in an Ospero data centre in the country in which they wish to do business, while Ospero manages the data and the application without it ever leaving Europe.
The new legislation would also put strict restrictions in place with regard to consent requirements. It would require that consent for the use of PII be obtained in advance on an opt-in basis before it could be used, and would require parental consent for individuals age 13 and younger.
It also mandates data portability, giving individuals the right to demand that an organisation transfer any information about them to a third-party organisation in a format determined by the individuals.
Under the new legislations, organisations would be required to prove they undertake regular data protection audits and privacy impact assessments. Additionally, all private sector companies with more than 250 employees, all private sector companies whose core activities involve regular monitoring of individuals and all public authorities would be required to formally appoint a data protection officer (DPO).
"The data protection officer must be empowered by the organisation to act as an independent assessor of its compliance with data protection laws and report to the board of directors in doing so," say Bäumer and Ostermann. "The EU regulation specifically requires the data protection officer to coordinate data protection by design and privacy impact assessment initiatives and to be responsible for data security initiatives generally. Responsibility for training staff is also mentioned as important. In short, the data protection officer must ensure that his or her organization has adopted good data governance policies and procedures."
The new legislation would also obligate organisations to notify data protection authorities of data breaches within 24 hours of discovering a breach, or to explain to authorities why it is not possible to provide full details of the breach.
To give teeth to the new legislation, the EC has proposed hefty fines for non-compliance. A provision would allow national supervisory authorities to send a warning letter for first offences, but serious violations (like processing sensitive data without an individual's consent) would allow those supervisory authorities to impose penalties of up to €1 million or up to 2% of a company's global annual turnover.
Bäumer and Ostermann recommended a number of steps that organisations can take to prepare themselves for compliance with the new regulations.
Implement good data protection governance measures
They recommend that organisations review their policies and procedures to ensure they reflect a serious focus on data protection issues.
"An organisation's policies and procedures are a key benchmark against which its compliance is judged by regulators," they say. "The thought that has been given to both indicates how seriously data privacy compliance is taken. Information provided in policies, whether staff or customer facing, and the practices which they encourage are also at the heart of achieving compliance with two frequently breached principles of data protection law, namely: data security obligations which require "appropriate technical and organisational measures" to be in place to prevent data loss and unauthorised access to data (in other words, companies need to be well organised when it comes to information security); and knowledge/consent obligations which require an organisation to inform its staff, customers and suppliers what data it processes about them, and what it uses that data for (again, internal and externally facing policies provide a key mechanism for supplying that information)."
Bäumer and Ostermann also recommend regular and well-thought-out training programs for staff that handle valuable data. In addition, they recommend organisations make a point of taking compliance seriously by running regular audits and privacy impact assessments before introducing any new significant data processing activities.
With regard to data transfer compliance, Bäumer and Ostermann recommend adding an assessment of an organisation's data transfer compliance to any compliance review of potential third-party partners. And because organisations are responsible and liable for the compliance acts and omissions of their suppliers, they recommend organisations adopt four mitigation measures, as follows:
- Encryption. One of the first steps regulators often take following a data breach is to require the adoption of encryption technology. Organisations can sidestep the expense and difficulty of implementing encryption on short notice by implementing it now.
- Service levels. The data protection laws require companies to have strong written service levels in place with suppliers that are given access to PII. Bäumer and Ostermann note that regulators will look poorly on companies that suffer a data breach if they do not have strong SLAs in place.
- Data breach notifications. Some European countries already have data breach notification laws in place, and some sectors (like financial services and telecom) are also already broadly subject to such laws. But the new legislation would extend those requirements to all organisations in the EU. Bäumer and Ostermann recommend company management determine whether their organisation is ready to meet the new requirements.
- Supplier due diligence. They note that in the event of a security incident, regulators will look closely at the pre-contract due diligence undertaken on the supplier. Regulators are likely to look more favourably upon organisations which undertake such due diligence.
The new legislation would update the existing E-Privacy Directive to require that opt-in consent be obtained before implementing any device or internet usage tracking technology. Bäumer and Ostermann say that the biggest challenge many businesses would face is how explain and obtain consent for the usage of such cookies or other tracking technologies without putting off visitors to their websites. They recommend companies undertake an audit of their cookies and other tracking technologies to assess what they are used for and why. In addition, they suggest companies review their privacy policies with regard to tracking technologies and present notices to users.