Telios Law would like to thank our colleague across the Atlantic for contributing this article on European privacy laws. Wellers Law Group LLP is a law firm in the UK that offers advice and legal services to charitable organisations. Ms. Jennifer O’Brien is a Senior Solicitor in the Commercial department and focuses on data protection compliance, as well as other corporate and commercial matters.
Privacy law in Europe (also known as data protection law) became an important issue for organisations both in and outside Europe in about 2000 when tough rules around use of ‘data’ were introduced. The need for the law was attributed to the explosion in generation and use of data as a result of the advancement of the electronic age.
Although these rules primarily applied to organisations based in Europe they imposed restrictions on what could happen to data sent outside Europe (e.g. the US, Hong Kong) because European authorities did not consider privacy rules in most other countries adequate (with a few limited exceptions). The result was that many countries rushed to introduce their own privacy law regimes after 2000 to try to put an equivalent standard in place in an effort to ensure that data could continue to flow internationally between organisations without being impeded by the new European rules.
What Are the Key Elements of the European Regime?
It applies to “personal data” which is any data from which an individual can be identified e.g. name, contact details and even work e-mail addresses. Therefore every organisation, whether not-for-profit or commercial and with operations (or merely a server) in Europe, is subject to the rules. Individuals have numerous rights in relation to their personal data such as (i) the right to object to being marketed by an organisation, (ii) the right to ‘consent’ to use of their data by an organisation (with some exceptions) and the right to be given a complete copy of their data held by an organisation at any time on request.
In addition organisations holding (known as ‘processing’) data are subject to various requirements. For example, they have to be able to justify processing it – often that means having consent from an individual to do so. As data must also be up to date organisations have to have a data retention policy so they don’t keep data indefinitely resulting in it being out of date. Information must also be given to individuals about all proposed uses of their data. This has resulted in the development of privacy policies containing statements about use of data. In addition there are a whole raft of marketing rules which has forced a culture change in how entities market individuals.
Another major focus of the current rules is security of data, particularly given the ever-increasing risks of electronic data loss through hacking and carelessness. The rules require organisations to put ‘appropriate technical and organisational measures’ in place to ensure the security of data. Yet despite this breaches of data security are not uncommon in Europe which carry a risk of fines of up to £500,000 in the UK and almost invariably result in damaging publicity for the offending organisation.
Controversially entities based in Europe cannot ‘transfer’ data outside unless the recipient country has equivalent privacy laws. The problem is that most don’t according to European authorities. Bear in mind that a “transfer” happens merely by sending an e-mail with someone’s name to the US, for example, so inevitably almost all organisations are caught by this rule. However a common solution is to enter into contracts with the overseas recipient of data in which they agree to comply with European standards in their handling of it although this clearly imposes European standards outside Europe, a much criticised effect of the rules.
Why Are New Rules Being Introduced?
Although current rules have been in place since 2000, they have not kept pace with the speed of technological advancement which has taken place since that time, for example development of tablet devices, portable devices, apps, social media, etc. Therefore, European authorities have now approved new legislation to address this – the bad news is that it is significantly stricter than the existing regime!
As we increasingly live in an age when organisations are global most, wherever they are based, will be affected. This is because the new rules apply to any entity which holds data about individuals based in Europe even if they do not have an operation in Europe. Although some of the existing principles are retained, there are a number of important changes such as:
- Fines can be up to 4% of worldwide turnover! This is on a par with anti-trust fines which means that privacy law compliance must now of necessity become a Boardroom priority.
- Individuals acquire even more rights in relation to their data such as the “right to be forgotten” if requested. So instead of the internet never forgetting someone’s history an individual can now ask search engine operators (e.g. Google) to remove posts relating to them on a search engine if the request satisfies certain legal tests.
- The means of obtaining consent is going to become more difficult. For example, it will not be acceptable to tick a box stating that an individual consents to a particular use of their data and invite them to untick the box if they disagree. Organisations which are customer or donor facing will need to closely review how they obtain consent and take new steps to ensure it is valid – easier said than done.
- If there is a data security breach most organisations will have to notify a regulator and potentially the individuals affected which means that damaging publicity as well as claims for compensation from individuals could ensue – serious implications.
- As referenced above controversially the new rules do not just apply to organisations which have a presence in Europe but also apply to organisations which collect or process data about individuals based in Europe. It is not clear how European regulators will enforce this right, but it does mean that a Charity based in the US, for example, which does not have any operations in Europe must handle any data about Europe-based individuals in accordance with European rules!
- Any organisations that collect information from children will need a parent or guardian’s consent to process their data lawfully.
What Should You Do?
All organisations are well advised to begin to prepare now!
This is because although the new rules will be effective from 2018, compliance will only be achieved by considerable advance planning - conducting an audit of what data is held, how it is processed, crucially where it travels worldwide within an organisation (and to external parties) and identifying what steps need to be taken to conform to the new rules.
Although these rules may seem severe, the expectation is that other countries will want to keep pace in the area of privacy law to ensure that individuals and consumers have confidence that organisations can be trusted to take care of their data. It is no secret that privacy law failures have the ability now to damage if not destroy organisations (both for profit and not-for-profit) so all entities would be well advised to take this area seriously and make privacy law compliance a ‘trust point’ for the public rather than a reactive response to failure.