The European Union (“EU”) is in the process of strengthening its digital data privacy laws, the far-reaching effects of which will be felt by any United States company doing business in the EU. The latest move toward implementation of the General Data Protection Regulation (“Regulation”) occurred in late October 2013, when the European Parliament approved certain amendments to the current draft of the legislation. If passed, these amendments will further strengthen online data privacy and severely restrict the transfer of EU citizens’ personal data to non-EU countries.
2. A
few
of
the
key
changes
(cont.):
•
Right
to
informaCon
and
transparency
– Companies must provide users with clear and easy-to-understand
information on how their data is collected, used and stored and must inform users when or if the company transfers
personal data to public prosecution authorities or intelligence services.
•
Data
transfer
to
non-‐EU
countries – Companies may not transfer personal data of EU citizens to the authorities of a
non-EU country unless the transfer complies with European law. This means that communication and Internet companies
may no longer hand over data to U.S. authorities unless explicitly allowed by EU law or an international treaty.
•
IdenCfying
data
– All data which can directly or indirectly identify an individual, even if it comes from a mass collection
of “Big Data,” must be protected. In this way, the Regulation is encouraging pseudonymized data that cannot be linked to
other data.
•
Heavy
sancCons – Companies that violate the Regulation will face tough sanctions. Violations could result in fines up to
the greater of 100 million euros ($137 million) or 5% of the company’s annual worldwide revenue.
•
Privacy
by
design – Companies should operate with a “Privacy by Design” mindset: develop and integrate privacy
procedures into every level and aspect of their operations. Further, companies should minimize their data use and
collection practices and implement the most data protection-friendly settings possible. In other words, companies should
only collect data that is necessary for the functioning of their service. Users should also be able to use services
anonymously or pseudonymously.
•
Data
protecCon
officer – Companies that regularly deal with personal data must appoint a data protection officer. The
size of the company does not determine whether such an officer is required, rather the amount and relevance of the
company’s data use and collection practices will make this determination.
•
Uniform
enforcement
of
the
rules – A European Data Protection Board will ensure the data protection law is applied
consistently throughout the EU. In this way, companies may not avoid strong data protection laws by racing to those
countries with weak law enforcement, nor will they be unwittingly subject to the more aggressive data enforcement
practices of countries like Spain or Germany.
Preparing
for
the
Change
While the Regulation has not yet been finalized and certain provisions will likely be amended, companies can and should begin
taking steps to prepare for the inevitable changes. First, companies should review their privacy policies to ensure they are
accurate and up to date. Some policies may need to be re-written to comply with the requirement that they be clear and easyto-understand. Second, companies should appoint a Data Protection Officer. An existing employee may be able to absorb the
role, or the company should consider hiring outside legal counsel to take on the position. Third, companies should conduct an
audit to determine their strengths and weaknesses with respect to privacy. The results of the audit will help the company
determine whether its privacy safeguards are sufficient and will reveal whether the company is collecting more data than
necessary. Finally, companies should experiment with and test their privacy controls. Any errors or oversights could result in
sanctions and/or substantial fines.
For
more
informaCon
or
guidance
on
geOng
your
business
ready
for
the
new
EU
privacy
regulaCons,
contact
a
privacy
aPorney
at
Gagnier
Margossian
LLP.
Internet
Intellectual Property
Privacy
Social Media
Technology
The Good Stuff
#nerdlawyers
Los Angeles
Sacramento
T: 415.766.4591
F: 909.972.1639
E: consult@gamallp.com
gamallp.com
@gamallp
San Francisco