Privacy Law- How it Affects Your Organization
Telios Law would like to thank our colleague across the Atlantic for contributing this article on European privacy laws. Wellers Law Group LLP is a law firm in the UK that offers advice and legal services to charitable organizations. Ms. Jennifer O’Brien is a Senior Solicitor in the Commercial department and focuses on data protection compliance, as well as other corporate and commercial matters.
Jennifer O'Brien at firstname.lastname@example.org
Privacy law in Europe (also known as data protection law) became an important issue for organizations both in and outside Europe in about 2000 when tough rules around use of ‘data’ were introduced. The need for the law was attributed to the explosion in generation and use of data as a result of the advancement of the electronic age.
Although these rules primarily applied to organizations based in Europe they imposed restrictions on what could happen to data sent outside Europe (e.g. the US, Hong Kong) because European authorities did not consider privacy rules in most other countries adequate (with a few limited exceptions). The result was that many countries rushed to introduce their own privacy law regimes after 2000 to try to put an equivalent standard in place in an effort to ensure that data could continue to flow internationally between organizations without being impeded by the new European rules.
What Are the Key Elements of the European Regime?
It applies to “personal data” which is any data from which an individual can be identified e.g. name, contact details and even work e-mail addresses. Therefore every organization, whether not-for-profit or commercial and with operations (or merely a server) in Europe, is subject to the rules. Individuals have numerous rights in relation to their personal data such as (i) the right to object to being marketed by an organization, (ii) the right to ‘consent’ to use of their data by an organization (with some exceptions) and the right to be given a complete copy of their data held by an organization at any time on request.
In addition organizations holding (known as ‘processing’) data are subject to various requirements. For example, they have to be able to justify processing it – often that means having consent from an individual to do so. As data must also be up to date organizations have to have a data retention policy so they don’t keep data indefinitely resulting in it being out of date. Information must also be given to individuals about all proposed uses of their data. This has resulted in the development of privacy policies containing statements about use of data. In addition there are a whole raft of marketing rules which has forced a culture change in how entities market individuals.
Another major focus of the current rules is security of data, particularly given the ever-increasing risks of electronic data loss through hacking and carelessness. The rules require organizations to put ‘appropriate technical and organizational measures’ in place to ensure the security of data. Yet despite this breaches of data security are not uncommon in Europe which carry a risk of fines of up to £500,000 in the UK and almost invariably result in damaging publicity for the offending organization.
Controversially entities based in Europe cannot ‘transfer’ data outside unless the recipient country has equivalent privacy laws. The problem is that most don’t according to European authorities. Bear in mind that a “transfer” happens merely by sending an e-mail with someone’s name to the US, for example, so inevitably almost all organizations are caught by this rule. However a common solution is to enter into contracts with the overseas recipient of data in which they agree to comply with European standards in their handling of it although this clearly imposes European standards outside Europe, a much criticised effect of the rules.
Why Are New Rules Being Introduced?
Although current rules have been in place since 2000, they have not kept pace with the speed of technological advancement which has taken place since that time, for example development of tablet devices, portable devices, apps, social media, etc. Therefore, European authorities have now approved new legislation to address this – the bad news is that it is significantly stricter than the existing regime!
As we increasingly live in an age when organizations are global most, wherever they are based, will be affected. This is because the new rules apply to any entity which holds data about individuals based in Europe even if they do not have an operation in Europe. Although some of the existing principles are retained, there are a number of important changes such as:
- Fines can be up to 4% of worldwide turnover! This is on a par with anti-trust fines which means that privacy law compliance must now of necessity become a Boardroom priority.
- Individuals acquire even more rights in relation to their data such as the “right to be forgotten” if requested. So instead of the internet never forgetting someone’s history an individual can now ask search engine operators (e.g. Google) to remove posts relating to them on a search engine if the request satisfies certain legal tests.
- The means of obtaining consent is going to become more difficult. For example, it will not be acceptable to tick a box stating that an individual consents to a particular use of their data and invite them to untick the box if they disagree. Organizations which are customer or donor facing will need to closely review how they obtain consent and take new steps to ensure it is valid – easier said than done.
- If there is a data security breach most organizations will have to notify a regulator and potentially the individuals affected which means that damaging publicity as well as claims for compensation from individuals could ensue – serious implications.
- As referenced above controversially the new rules do not just apply to organizations which have a presence in Europe but also apply to organizations which collect or process data about individuals based in Europe. It is not clear how European regulators will enforce this right, but it does mean that a Charity based in the US, for example, which does not have any operations in Europe must handle any data about Europe-based individuals in accordance with European rules!
- Any organizations that collect information from children will need a parent or guardian’s consent to process their data lawfully.
What Should You Do?
All organizations are well advised to begin to prepare now!
This is because although the new rules will be effective from 2018, compliance will only be achieved by considerable advance planning - conducting an audit of what data is held, how it is processed, crucially where it travels worldwide within an organization (and to external parties) and identifying what steps need to be taken to conform to the new rules.
Although these rules may seem severe, the expectation is that other countries will want to keep pace in the area of privacy law to ensure that individuals and consumers have confidence that organizations can be trusted to take care of their data. It is no secret that privacy law failures have the ability now to damage if not destroy organizations (both for profit and not-for-profit) so all entities would be well advised to take this area seriously and make privacy law compliance a ‘trust point’ for the public rather than a reactive response to failure.
Because of the generality of the information on this site, it may not apply to a given place, time, or set of facts. It is not intended to be legal advice, and should not be acted upon without specific legal advice based on particular situations