Tightening the rules

Update: data protection in the European Union

By Dr. Ali Sahin Dr. Regina Engelstädter
Paul Hastings

Download article as PDF

Recent developments in the dataprotection environment in the European Union propose a more restrictive data-protection standard in comparison with the current EU directive on data protection (95/46/EC). First, the European Parliament has proposed a new legal framework for data protection in the European Union that aims to: _ Increase harmonization of data-protection rules in the European Union _ Implement higher levels of protection for data subjects and _ Expand penalties for violations. The new data-protection regulation would require companies to increase their efforts to comply with EU dataprotection laws and impose severe sanctions for violations. As a result, companies would have to undertake an extensive review of their compliance programs. Second, the European Court of Justice (ECJ) recently held that Google is responsible for the processing of personal data that appear on websites published by third parties. The search engine provider is now obliged to remove links to websites that are published by third parties and that contain information relating to a person from its list of results displayed following a search made on the basis of the person’s name. Supporters of privacy rights interpret the ECJ’s ruling to mean that data subjects have a “right to be forgotten,” enabling them to request deletion of their digital personal data from search results—although the information will still be available on the original website. The ECJ’s ruling creates technical challenges and potential extra costs for search engine providers, and operators plan to flag search results that have been altered. The ruling supports the effort of the European Parliament to establish a higher standard of data protection.

Harmonization of data-protection rules

The new data-protection regulation is still being reviewed by various European institutions and is subject to final approval by the EU Council, which is expected sometime in 2014. Here are some of the key issues it touches on: One continent, one law: The new data-protection regulation would establish a single, pan-European law for data protection, replacing the existent “patchwork” of national laws. One-stop shop: The new data-protection regulation would create a one-stop shop for businesses. They would be able to deal with a single supervisory authority rather than 28 different ones, making it easier and cheaper for them to do business in the European Union. The current EU directive on dataprotection (95/46/EC), which dates back to 1995, leaves the 28 member states broad discretion in the implementation of minimal standards. The result is different levels of data protection across each member states. Therefore, on Jan. 25, 2012, the European Commission proposed a comprehensive reform of the European Union’s dataprotection rules to increase the level of privacy rights and boost Europe’s digital economy. Since the digital economy is purely based on data, personal data have become a significant and dominant economic factor. The new data-protection regulation would be binding for all member states in all but a few, preapproved exceptions such as data protection for employees.

Overview of the new data-protection regulation: severe sanctions

To ensure that businesses take the new data-protection regulation seriously, European regulators would be equipped with extensive powers to enforce compliance. >> It is expected that privacy issues will become more complex << The level of sanctions for violating data-protection laws would be increased substantially, close to the level for antitrust infringements. Fines could total up to €100 million or up to 5 percent of the annual global revenues of the relevant company, whichever is greater. Current penalties are fairly limited and vary from member state to member state (in Germany, for example, the current fine is �300,000). The powers of European regulators would be significantly increased under the law. At present, the detail and level of administrative sanctions against companies violating national dataprotection rules are fairly moderate. By and large, there is a broad tolerance of businesses that do not repeatedly violate data-protection rules. Companies not adhering to the new rules would risk material economic losses, resulting in a competitive disadvantage. Consequently, companies wanting to do business in the European market would be required to change and improve their data-protection compliance programs. This is particularly true for Internet-based and e-commerce businesses that collect, process and use the personal data of data subjects as their main business purpose.

Territorial scope: data controller

Another significant change would be the application of the new data-protection regulation to businesses that have their place of incorporation in a nonmember state where the processing activities of such businesses relate to: _ The provision of goods or services to data subjects in the European Union, irrespective of whether such data subjects are required to make a payment or not _ Or the monitoring of such data subjects. The territorial application of the new data-protection regulation would be comparable to the rules imposed by European competition laws. Under these rules, national laws of EU member states mostly apply the principle of the marketplace. For example, if a business located outside the European Union targets EU consumers with product advertising and marketing, then national competition laws regulate such advertising. The most recent ECJ ruling supports this view as the court holds that a search engine provider qualifies as a data controller (although its seat is in a non-member state) if its EU subsidiary is conducting advertisement in an EU member state. This finding will have a material impact on search engine providers as well as on social media, online advertising and gaming businesses, such as sweepstake providers, that also use the Internet for advertisement purposes. In the future, any company doing business in the European Union must appoint a data-protection officer if it processes the data of more than 5,000 individuals. At present, this requirement is linked to the number of people employed at a particular company.

Data transfer outside the EU

One of the most relevant data-protection topics is the question as to when, and under what conditions, a data controller or processor in the European Union would be allowed to transfer personal data to a third country, including onward transfers from this third country, without the regulator’s specific authorization. Currently, a transfer may take place only if (a) the European Commission has decided that the third country in question ensures an adequate level of protection (“white-listed countries” such as Canada, Norway, Iceland, etc.), or (b) the data controller and data recipient rely on standard data-protection clauses as approved by the European Commission. In the context of EU and U.S. dataprotection matters, the Safe Harbor framework allows a business in the European Union to transfer personal data to the United States without specific authorization, provided the receiving U.S. company is registered as a Safe Harbor participant with the U.S. Department of Commerce. In light of recent NSA revelations, it has been proposed that the current Safe Harbor framework between the European Union and the United States be reviewed to affirm whether data transfer to the United States can still be regarded as justified. This is another reaction of the European Parliament to the monitoring of affairs in connection with the U.S. Foreign Intelligence Surveillance Act. At the moment, it is not clear whether the European Union will continue to regard the Safe Harbor framework as an appropriate legal basis for the European Union to justify the transfer of personal data from the European Union to the United States.

Right to be forgotten

While the new data-protection regulation would extend the rights of data subjects to request information about what data are being collected on them and to request deletion of their data more easily, it does not offer the “right to be forgotten.” Businesses may still process data if they have a legitimate reason. The ECJ’s ruling goes beyond the scope of the new data-protection regulation. First, the ECJ made it clear that search engine providers qualify as data controllers on the grounds that they collect data within the meaning of the current data-protection directive through their automatic and systematic searches of online information. The ECJ backed the “right to be forgotten” by arguing that data that are “inadequate, irrelevant or no longer relevant” should be deleted from search results if a data subject so requests. Although search engine providers do not have to comply with every single request, they must consider whether removing information is against the public interest. The ECJ’s ruling did not specify how search engines should evaluate user requests. This remains unclear. The right to deletion needs to be evaluated by the data controller on a case-by-case basis, weighing the interests of the public in accessing the personal information against the interests of the data subject in question. Doing so requires a detailed assessment by the data controller of each individual deletion request. Consequently, the “right to be forgotten” depends on specific requirements being fulfilled, taking into account the nature of the data, its sensitivity for the data subject’s private life and the interests of the public in accessing such data.

Outlook

Obviously, the ruling of the ECJ vindicates the European Union’s efforts to tighten data-privacy rules. The issue will continue to be debated, and there will be more and more conflicts as a result of different understandings of privacy rights in Europe and the United States. It is expected that privacy issues will become more complex

alisahin@paulhastings.com

reginaengelstaedter@paulhastings.com