Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
Most e-commerce businesses and advisers outside Europe are generally aware that the European Union (E.U.) has what appear to be some strange and intricate laws relating to data privacy.
Because those laws appear complex, non-Europeans or people in general operating outside of Europe, can be tempted to ignore them; after all, they apply only in Europe, don't they?
But turning a blind eye to these data-privacy laws can prove dangerous and, in fact, the steps necessary to effect compliance are usually not that difficult.
Below are the main provisions of the European Data Protection Directive as they affect online businesses outside Europe. Also, some practical suggestions will be offered on how to minimize compliance costs.
Sorting out the Terminology
The core European legislative instrument is Directive 95/46/EC ' commonly referred to as the Data Protection Directive (see www.europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=EN&numdoc=31995L0046&model=guichett). There are two principal forms of European legislation, the regulation and the directive.
A regulation is directly enforceable throughout the E.U. once it has passed the legislative stages involving the European Parliament, the European Commission and the European Council of Ministers.
A directive, on the other hand, is an instruction from the E.U. to each of the member states to implement national laws to comply with the terms of the directive.
Since the European law on data protection is a directive, each member state has to make national laws compliant with it. Those laws should have been operative from Oct. 1, 1998, and each member state must enforce the rules in its territory.
The directive is designed to protect personal data, defined as any information relating to an identified or identifiable natural person (the data subject). Rights under the directive then apply only to an individual person; they do not apply to companies or other corporate entities.
The directive controls the processing of personal data. Processing is very widely defined, and includes obtaining, recording or holding information or data, or carrying out any operation or set of operations on the information or data, including:
It is pretty clear that just about anything that could conceivably be done with data is covered by the term processing.
Under the directive, a data controller is ' as the name suggests ' the legal person who determines, possibly with others, the purposes and means of the processing of personal data. By contrast, a data processor is a legal entity that processes personal data on behalf of a controller; in other words, it is a body to which processing is subcontracted.
Where there is processing of personal data, the data controller must ensure that personal data is:
Also, personal data processing may take place only in one of a series of specified circumstances. In the majority of cases, only the data subject's unambiguous consent to the processing will suffice. Each member state must have a data-protection authority and, in most cases, data processors must register with the appropriate authority before they can process data lawfully.
Any failure of a data controller to abide by provisions of the directive is dealt with by the relevant national law of the member state concerned. Most member states have criminal and civil sanctions to deal with data-protection issues, and the directive further specifically mandates each member state to enact laws that will permit a data subject to sue an errant data controller for compensation.
Effect Outside Europe
First the good news: The E.U.'s data protection laws will not apply unless the controller is established in at least one member state or ' where the controller is not established within the E.U. ' it nonetheless uses equipment (automated or otherwise) situated in a member state's territory to process personal data, unless the use is merely transit. However, given the breadth of the definition of processing, it is likely that transit has a very restricted meaning indeed, and the practical reality is that if any non-E.U. e-commerce business uses any equipment within the E.U. in connection with personal data, then it is more likely than not that E.U. data protection law will apply.
Now the bad news: Article 25 of the directive prohibits the transfer of personal data to a country outside the European Economic Area (E.E.A.) ' the 15 E.U. member states together with Norway, Iceland and Liechtenstein ' in the absence of unambiguous data subject consent except, broadly, in three types of circumstances:
Practical Steps
As previously indicated, in practical terms the most effective key to unlock the chains of European data protection laws is the clear and unambiguous consent of the data subject. For that consent to be effective, he or she must know precisely:
As a consequence, wherever possible, clear and complete details should be included in any e-commerce Web site terms and conditions, and these terms and conditions should be viewed and positively accepted before any personal data can be transmitted. It would also be wise for any U.S. business reliant to any extent on personal data emanating from within the E.E.A. to ensure that providers of such data strictly adhere to European data protection legislation. If this is not the case, then European authorities might abruptly cut data flow, much to the disadvantage of the U.S. business concerned.
The E.U./U.S. safe harbor arrangement, however, is not proving to be particularly popular in practice, and only a relatively few large corporations have signed up. While the reasons for this are not entirely clear, it's likely the issues that were to be addressed by the safe harbor arrangement are being addressed by the contractual provisions now approved by the Commission.
Conclusion
U.S. companies have discovered that it is often good business to publish a privacy policy and publicly adhere to it in order to attract and retain consumer goodwill. Even in the absence of complex legislation of the type in force in Europe, U.S. companies such as Toys R Us have encountered difficulties when alleged to be dealing with customer information in breach of their published privacy policies, thus risking consumer dissatisfaction and involvement of the U.S. Federal Trade Commission.
Given these domestic concerns, it is in practice only a short further step to ensure compliance with European data protection legislation ' and a step well worth taking.
Simon Smith is a partner at law firm Taylor Vinters in Cambridge, the United Kingdom, and head of its technology law practice, T2.
Most e-commerce businesses and advisers outside Europe are generally aware that the European Union (E.U.) has what appear to be some strange and intricate laws relating to data privacy.
Because those laws appear complex, non-Europeans or people in general operating outside of Europe, can be tempted to ignore them; after all, they apply only in Europe, don't they?
But turning a blind eye to these data-privacy laws can prove dangerous and, in fact, the steps necessary to effect compliance are usually not that difficult.
Below are the main provisions of the European Data Protection Directive as they affect online businesses outside Europe. Also, some practical suggestions will be offered on how to minimize compliance costs.
Sorting out the Terminology
The core European legislative instrument is Directive 95/46/EC ' commonly referred to as the Data Protection Directive (see www.europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=EN&numdoc=31995L0046&model=guichett). There are two principal forms of European legislation, the regulation and the directive.
A regulation is directly enforceable throughout the E.U. once it has passed the legislative stages involving the European Parliament, the European Commission and the European Council of Ministers.
A directive, on the other hand, is an instruction from the E.U. to each of the member states to implement national laws to comply with the terms of the directive.
Since the European law on data protection is a directive, each member state has to make national laws compliant with it. Those laws should have been operative from Oct. 1, 1998, and each member state must enforce the rules in its territory.
The directive is designed to protect personal data, defined as any information relating to an identified or identifiable natural person (the data subject). Rights under the directive then apply only to an individual person; they do not apply to companies or other corporate entities.
The directive controls the processing of personal data. Processing is very widely defined, and includes obtaining, recording or holding information or data, or carrying out any operation or set of operations on the information or data, including:
It is pretty clear that just about anything that could conceivably be done with data is covered by the term processing.
Under the directive, a data controller is ' as the name suggests ' the legal person who determines, possibly with others, the purposes and means of the processing of personal data. By contrast, a data processor is a legal entity that processes personal data on behalf of a controller; in other words, it is a body to which processing is subcontracted.
Where there is processing of personal data, the data controller must ensure that personal data is:
Also, personal data processing may take place only in one of a series of specified circumstances. In the majority of cases, only the data subject's unambiguous consent to the processing will suffice. Each member state must have a data-protection authority and, in most cases, data processors must register with the appropriate authority before they can process data lawfully.
Any failure of a data controller to abide by provisions of the directive is dealt with by the relevant national law of the member state concerned. Most member states have criminal and civil sanctions to deal with data-protection issues, and the directive further specifically mandates each member state to enact laws that will permit a data subject to sue an errant data controller for compensation.
Effect Outside Europe
First the good news: The E.U.'s data protection laws will not apply unless the controller is established in at least one member state or ' where the controller is not established within the E.U. ' it nonetheless uses equipment (automated or otherwise) situated in a member state's territory to process personal data, unless the use is merely transit. However, given the breadth of the definition of processing, it is likely that transit has a very restricted meaning indeed, and the practical reality is that if any non-E.U. e-commerce business uses any equipment within the E.U. in connection with personal data, then it is more likely than not that E.U. data protection law will apply.
Now the bad news: Article 25 of the directive prohibits the transfer of personal data to a country outside the European Economic Area (E.E.A.) ' the 15 E.U. member states together with Norway, Iceland and Liechtenstein ' in the absence of unambiguous data subject consent except, broadly, in three types of circumstances:
Practical Steps
As previously indicated, in practical terms the most effective key to unlock the chains of European data protection laws is the clear and unambiguous consent of the data subject. For that consent to be effective, he or she must know precisely:
As a consequence, wherever possible, clear and complete details should be included in any e-commerce Web site terms and conditions, and these terms and conditions should be viewed and positively accepted before any personal data can be transmitted. It would also be wise for any U.S. business reliant to any extent on personal data emanating from within the E.E.A. to ensure that providers of such data strictly adhere to European data protection legislation. If this is not the case, then European authorities might abruptly cut data flow, much to the disadvantage of the U.S. business concerned.
The E.U./U.S. safe harbor arrangement, however, is not proving to be particularly popular in practice, and only a relatively few large corporations have signed up. While the reasons for this are not entirely clear, it's likely the issues that were to be addressed by the safe harbor arrangement are being addressed by the contractual provisions now approved by the Commission.
Conclusion
U.S. companies have discovered that it is often good business to publish a privacy policy and publicly adhere to it in order to attract and retain consumer goodwill. Even in the absence of complex legislation of the type in force in Europe, U.S. companies such as Toys R Us have encountered difficulties when alleged to be dealing with customer information in breach of their published privacy policies, thus risking consumer dissatisfaction and involvement of the U.S. Federal Trade Commission.
Given these domestic concerns, it is in practice only a short further step to ensure compliance with European data protection legislation ' and a step well worth taking.
Simon Smith is a partner at law firm Taylor Vinters in Cambridge, the United Kingdom, and head of its technology law practice, T2.
In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.
With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.
Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.