US companies extending their activities into Europe often get in touch with queries about European privacy law. Without question Europe’s regulations on privacy protection are strict – but they are also solvable and wont restrict US companies doing business in Europe.
Often referred to as “data protection”, the terminology is misleading. Privacy law is not aimed at the protection of data but instead at the protection against data. Therefore, unlike any software or trademark protection, data protection does not recognize economic value but risks of data instead: Individuals should be protected against third parties having vast and uncontrolled information on such individuals.
Basic legal situation in Europe: Ban with permit reservation
The current EU legal framework on data protection bases on the general Data Protection Directive 95/46/EC. It is complemented by the e-Privacy Directive 2002/58/EC which applies in the field of electronic communications, and by the Data retention Directive 2006/24/EC. Consequently there is a sufficient level of harmonization U.S. companies can align their activities with.
The key terminology in European privacy law is “personal data”. Privacy law only protects personal data. Data is personal if it relates to an identified or at least identifiable person, the data subject. This includes information like name, postal address, email address, telephone number or usage data. In certain conditions, even a dynamic IP address (if the processing of IP addresses is carried out with the purpose of identifying the users of a computer) should be considered as personal data.
If such personal data is concerned during a business process, European regulations deliver a rather strict key message: The collection, processing and use of personal data are permitted only if the data subject has consented or if the activity is permitted by law. This does also concern the transfer within group-companies. European privacy law does not know any intra-group privileges.
What does Privacy Law means for US Companies?
This legal situation requires that the collection of personal information should be kept to a minimum. Applied to current technology trends it means that the design process should start with the default option that no identifiable data is collected. And whenever possible, personal data should be replaced by equivalent minimized data.
If nevertheless personal data will be used, US companies should take care of the following checklist:
- The lawfulness of the process must be considered and checked.
- If the legal provision does not provide a justification, the consent of a data subject is required.
- A lawful given consent requires an informed data subject and must be given voluntarily, explicitly and revocable. The scope of the consent is binding for the company and shall not be left.
- Personal Data which is collected and stored must be protected by adequate technical and organisational measures which meet a minimum standard for the protection of sensitive information.
- Personal data must be deleted as soon as storage interests are completed.
Further improvements on the horizon
In future, European privacy law might become even more transparent for US companies and easier to comply with. In 2012 the EU proposed a General Data Protection Regulation with the commission trying to establish a complete level playing field for data processing companies doing business in the EU. US companies operating across the entire EU will then just have to pay attention to one single framework. Furthermore, the proposed Regulation tries to simplify the regulatory environment by reducing bureaucratic rules and removing formality requirements and promoting self-regulation. Consequently it can be assumed that administrative burdens associated with the differences in the current frameworks will be reduced.
The role model for the new proposal was the German Federal Data Protection Act (Bundesdatenschutzgesetz – “BDSG”) and if the proposal survives the legislative procedure unmodified the future situation will be similar to the current situation in Germany.
No need for fears of contact
If US companies implement some basic rules they will be able to do business in Europe successfully in accordance with European privacy law. All requirements are manageable. If the Regulation passes the legislative process unmodified, this situation becomes even better. US companies will face a business-friendly privacy law environment in the entire EU. Nevertheless companies still need to act carefully if they make their first steps in Europe. But if they are well prepared privacy law won’t prevent successful businesses succeeding in European markets.