One of the great advantages of the Internet is that it permits seamless interactions to occur across borders. One of the great challenges for U.S.-based companies is how to manage compliance issues, privacy issues among them, when an Internet service is made available to individuals in the EU, or other foreign countries. The EU regulates privacy based upon the implementation of the EU Data Protection Directive, as well as other Directives. While the Directives themselves are not directly controlling, they set the minimum requirements of the individual Member States implementation of the Directives, so changes to the Data Protection Directive requires changes to all of the Member States laws.
Since the EU has previously determined that the U.S. does not have “adequate” data protection laws, for U.S. companies to legally export data in most cases, they must follow one of three main options for EU privacy compliance: model contracts; Binding Corporate Rules (BCRs); or the Safe Harbor program, which is a negotiated agreement between the EU and the Department of Commerce. Many companies rely upon the Safe Harbor Program, which requires registration with the Department of Commerce, as well as the implementation of policies and procedures that assure that there are “adequate” safeguards in place to protect EU users.
The Safe Harbor Program has come under increasing fire from the EU and over the last year there has been a significant amount of attention paid Safe Harbor, as well as Internet privacy issues, such as the use of cookies. The debate and changes to the relevant EU Directives to address the use of cookies has been called the “Cookie Directive”, and while many companies have attempted to address the issue, many of the Member States have not completely implemented the Cookie Directive.
The Cookie Directive may be a minor issue compared to what the European Commission announced yesterday. The Data Protection Directive was originally enacted in 1995, a time when the Web 1.0 world was just starting. In light of the vast changes to the Internet, as well as other societal changes, European justice commissioner, Viviane Reding stated that she intended to make changes Data Protection Directive, which she would announce in January, 2012.
Mrs. Reding has been a vocal critic of certain data retention practices on the Internet, and given her past statements on this issue, as well as the “right to be forgotten”, it is likely that the changes to the Data Protection Directive will restrict Internet company’s ability to retain, and perhaps even collect, certain forms of data. Mrs. Reding also specifically mentioned social networks, including those relying upon cloud storage in a non-EU country, stating that she believed foreign companies should be required to comply with EU law. It is also likely that any new proposal will include increased penalties for violation of the Data Protection Directive. These proposals are a distinct change to the prior EU position, and would represent a significant extraterritorial expansion of EU jurisdiction, as EU-oriented websites of U.S. companies would be, in the EU view, directly subject to European privacy rules.
While this proposal is a not law, and would not be law until approved by several different European bodies, it is something that companies must continue to monitor, as it is likely changes are coming to the EU soon.
