Here’s the good news about European data-security laws: The European Union has had a consistent, centralized legal regime in place for nearly 20 years.
The bad news: that may be about to change.
The EU’s Data Protection Directive, in force since 1995, provides a comprehensive data-security framework for member nations. It sets up guiding principles and then tasks each country with enforcing those principles. Compared to the patchwork of regulation in the United States, the EU’s directive makes it fairly easy for companies doing business there — in the sense that they at least know there are consistent rules to play by.
“In May, Europe’s top court reached a landmark decision ordering search engines such as Google to respond to individuals’ requests to remove old or personal information about them from search results for their own names,” The Wall Street Journal reported in July.
Thankfully, though, the EU years ago created helpful safe-harbor policies for American companies, allowing them to collect data in Europe (and ship it back to the United States) if they meet certain minimal standards, and receive a certification from the U.S. Department of Commerce. That certification allows American companies to advertise their compliance to European consumers—an important asset there, where citizens are generally suspicious of corporate data collection. Only U.S. organizations subject to the jurisdiction of the FTC or U.S. air carriers and ticket agents subject to the jurisdiction of the Department of Transportation may participate.
In recent years European regulators have grown increasingly convinced that too many U.S. companies are receiving this certification without meeting the EU’s data-protection standards – an ominous situation for U.S. companies.
Two years ago the EU formed a commission to study the Data Protection Directive. The so-called Article 29 Working Party is studying every aspect of the directive, and has been issuing recommendations for adapting the directive in accordance with changes in technology and data use.
The recommended changes have so far been relatively minor. But at some point this year the working party should come in with some big suggestions. The scary part: we don’t know what those might look like. Even scarier: we don’t know whether the safe harbor provision will survive the revisions.
If it doesn’t, American companies would face an extremely difficult transition. Nearly every business would likely be forced to change the way it collects, transports and uses data collected in Europe.
Of course, we’re watching this closely and will provide whatever insights we can as it unfolds. For now, though, all we can really advise is to hope for the best.