Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

European Data Privacy Rights ' Not So Scary After All

By Simon Smith
August 22, 2003

Most e-commerce businesses and advisers outside Europe are generally aware that the European Union (E.U.) has what appear to be some strange and intricate laws relating to data privacy.

Because those laws appear complex, non-Europeans or people in general operating outside of Europe, can be tempted to ignore them; after all, they apply only in Europe, don't they?

But turning a blind eye to these data-privacy laws can prove dangerous and, in fact, the steps necessary to effect compliance are usually not that difficult.

Below are the main provisions of the European Data Protection Directive as they affect online businesses outside Europe. Also, some practical suggestions will be offered on how to minimize compliance costs.

Sorting out the Terminology

The core European legislative instrument is Directive 95/46/EC ' commonly referred to as the Data Protection Directive (see www.europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=EN&numdoc=31995L0046&model=guichett). There are two principal forms of European legislation, the regulation and the directive.

A regulation is directly enforceable throughout the E.U. once it has passed the legislative stages involving the European Parliament, the European Commission and the European Council of Ministers.

A directive, on the other hand, is an instruction from the E.U. to each of the member states to implement national laws to comply with the terms of the directive.

Since the European law on data protection is a directive, each member state has to make national laws compliant with it. Those laws should have been operative from Oct. 1, 1998, and each member state must enforce the rules in its territory.

The directive is designed to protect personal data, defined as any information relating to an identified or identifiable natural person (the data subject). Rights under the directive then apply only to an individual person; they do not apply to companies or other corporate entities.

The directive controls the processing of personal data. Processing is very widely defined, and includes obtaining, recording or holding information or data, or carrying out any operation or set of operations on the information or data, including:

  • Organization, adaptation or alteration of the information or data;
  • Retrieval, consultation or use of the information or data;
  • Disclosure of the information or data by transmission, dissemination or otherwise making available; or
  • Alignment, combination, blocking, erasure or destruction of the information or data.

It is pretty clear that just about anything that could conceivably be done with data is covered by the term processing.

Under the directive, a data controller is ' as the name suggests ' the legal person who determines, possibly with others, the purposes and means of the processing of personal data. By contrast, a data processor is a legal entity that processes personal data on behalf of a controller; in other words, it is a body to which processing is subcontracted.

Where there is processing of personal data, the data controller must ensure that personal data is:

  • Processed 'fairly and lawfully';
  • Collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
  • Adequate, relevant and not excessive in relation to the purposes for which it is collected and/or further processed;
  • Accurate and, where necessary, kept up-to-date; and
  • Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data was collected or for which it is further processed.

Also, personal data processing may take place only in one of a series of specified circumstances. In the majority of cases, only the data subject's unambiguous consent to the processing will suffice. Each member state must have a data-protection authority and, in most cases, data processors must register with the appropriate authority before they can process data lawfully.

Any failure of a data controller to abide by provisions of the directive is dealt with by the relevant national law of the member state concerned. Most member states have criminal and civil sanctions to deal with data-protection issues, and the directive further specifically mandates each member state to enact laws that will permit a data subject to sue an errant data controller for compensation.

Effect Outside Europe

First the good news: The E.U.'s data protection laws will not apply unless the controller is established in at least one member state or ' where the controller is not established within the E.U. ' it nonetheless uses equipment (automated or otherwise) situated in a member state's territory to process personal data, unless the use is merely transit. However, given the breadth of the definition of processing, it is likely that transit has a very restricted meaning indeed, and the practical reality is that if any non-E.U. e-commerce business uses any equipment within the E.U. in connection with personal data, then it is more likely than not that E.U. data protection law will apply.

Now the bad news: Article 25 of the directive prohibits the transfer of personal data to a country outside the European Economic Area (E.E.A.) ' the 15 E.U. member states together with Norway, Iceland and Liechtenstein ' in the absence of unambiguous data subject consent except, broadly, in three types of circumstances:

  1. Such a transfer may be permitted where the third country has what the European Commission considers to be an 'adequate level of protection' for the rights of the data subject. So far the Commission has decided that the laws of Switzerland, Hungry and Canada meet this level.
  2. The European Commission believes the U.S. legal position on data protection does not meet these requirements. Accordingly, after lengthy negotiations, the E.U. and the United States agreed on a safe harbor arrangement whereby U.S. companies may self-certify compliance with the rules of the arrangements set out by the U.S. Department of Commerce and must publish a privacy policy confirming that they adhere to these rules (see http://europa.eu.int/smartapi/cgi/sga_doc?smartapicelexapiprodCELEXnumdoc&lg=en&numdoc=32000D0520&model=guichett). Signing up to the data protection safe harbor arrangements is voluntary but once a company has committed itself, then any breach of the rules may lead to the Department of Commerce taking legal action against the company concerned.
  3. The European Commission has agreed to standard contractual provisions that, if entered into between an E.E.A. business and a U.S. business, will provide data subjects with adequate protection. The draft contractual provisions in essence commit both sides to abide by basic E.U. data-protection principles.

Practical Steps

As previously indicated, in practical terms the most effective key to unlock the chains of European data protection laws is the clear and unambiguous consent of the data subject. For that consent to be effective, he or she must know precisely:

  • Who will do the processing;
  • What personal data is involved;
  • All purposes for which the personal data will be used; and
  • Where the data will be transferred.

As a consequence, wherever possible, clear and complete details should be included in any e-commerce Web site terms and conditions, and these terms and conditions should be viewed and positively accepted before any personal data can be transmitted. It would also be wise for any U.S. business reliant to any extent on personal data emanating from within the E.E.A. to ensure that providers of such data strictly adhere to European data protection legislation. If this is not the case, then European authorities might abruptly cut data flow, much to the disadvantage of the U.S. business concerned.

The E.U./U.S. safe harbor arrangement, however, is not proving to be particularly popular in practice, and only a relatively few large corporations have signed up. While the reasons for this are not entirely clear, it's likely the issues that were to be addressed by the safe harbor arrangement are being addressed by the contractual provisions now approved by the Commission.

Conclusion

U.S. companies have discovered that it is often good business to publish a privacy policy and publicly adhere to it in order to attract and retain consumer goodwill. Even in the absence of complex legislation of the type in force in Europe, U.S. companies such as Toys R Us have encountered difficulties when alleged to be dealing with customer information in breach of their published privacy policies, thus risking consumer dissatisfaction and involvement of the U.S. Federal Trade Commission.

Given these domestic concerns, it is in practice only a short further step to ensure compliance with European data protection legislation ' and a step well worth taking.


Simon Smith is a partner at law firm Taylor Vinters in Cambridge, the United Kingdom, and head of its technology law practice, T2.

Most e-commerce businesses and advisers outside Europe are generally aware that the European Union (E.U.) has what appear to be some strange and intricate laws relating to data privacy.

Because those laws appear complex, non-Europeans or people in general operating outside of Europe, can be tempted to ignore them; after all, they apply only in Europe, don't they?

But turning a blind eye to these data-privacy laws can prove dangerous and, in fact, the steps necessary to effect compliance are usually not that difficult.

Below are the main provisions of the European Data Protection Directive as they affect online businesses outside Europe. Also, some practical suggestions will be offered on how to minimize compliance costs.

Sorting out the Terminology

The core European legislative instrument is Directive 95/46/EC ' commonly referred to as the Data Protection Directive (see www.europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=EN&numdoc=31995L0046&model=guichett). There are two principal forms of European legislation, the regulation and the directive.

A regulation is directly enforceable throughout the E.U. once it has passed the legislative stages involving the European Parliament, the European Commission and the European Council of Ministers.

A directive, on the other hand, is an instruction from the E.U. to each of the member states to implement national laws to comply with the terms of the directive.

Since the European law on data protection is a directive, each member state has to make national laws compliant with it. Those laws should have been operative from Oct. 1, 1998, and each member state must enforce the rules in its territory.

The directive is designed to protect personal data, defined as any information relating to an identified or identifiable natural person (the data subject). Rights under the directive then apply only to an individual person; they do not apply to companies or other corporate entities.

The directive controls the processing of personal data. Processing is very widely defined, and includes obtaining, recording or holding information or data, or carrying out any operation or set of operations on the information or data, including:

  • Organization, adaptation or alteration of the information or data;
  • Retrieval, consultation or use of the information or data;
  • Disclosure of the information or data by transmission, dissemination or otherwise making available; or
  • Alignment, combination, blocking, erasure or destruction of the information or data.

It is pretty clear that just about anything that could conceivably be done with data is covered by the term processing.

Under the directive, a data controller is ' as the name suggests ' the legal person who determines, possibly with others, the purposes and means of the processing of personal data. By contrast, a data processor is a legal entity that processes personal data on behalf of a controller; in other words, it is a body to which processing is subcontracted.

Where there is processing of personal data, the data controller must ensure that personal data is:

  • Processed 'fairly and lawfully';
  • Collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
  • Adequate, relevant and not excessive in relation to the purposes for which it is collected and/or further processed;
  • Accurate and, where necessary, kept up-to-date; and
  • Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data was collected or for which it is further processed.

Also, personal data processing may take place only in one of a series of specified circumstances. In the majority of cases, only the data subject's unambiguous consent to the processing will suffice. Each member state must have a data-protection authority and, in most cases, data processors must register with the appropriate authority before they can process data lawfully.

Any failure of a data controller to abide by provisions of the directive is dealt with by the relevant national law of the member state concerned. Most member states have criminal and civil sanctions to deal with data-protection issues, and the directive further specifically mandates each member state to enact laws that will permit a data subject to sue an errant data controller for compensation.

Effect Outside Europe

First the good news: The E.U.'s data protection laws will not apply unless the controller is established in at least one member state or ' where the controller is not established within the E.U. ' it nonetheless uses equipment (automated or otherwise) situated in a member state's territory to process personal data, unless the use is merely transit. However, given the breadth of the definition of processing, it is likely that transit has a very restricted meaning indeed, and the practical reality is that if any non-E.U. e-commerce business uses any equipment within the E.U. in connection with personal data, then it is more likely than not that E.U. data protection law will apply.

Now the bad news: Article 25 of the directive prohibits the transfer of personal data to a country outside the European Economic Area (E.E.A.) ' the 15 E.U. member states together with Norway, Iceland and Liechtenstein ' in the absence of unambiguous data subject consent except, broadly, in three types of circumstances:

  1. Such a transfer may be permitted where the third country has what the European Commission considers to be an 'adequate level of protection' for the rights of the data subject. So far the Commission has decided that the laws of Switzerland, Hungry and Canada meet this level.
  2. The European Commission believes the U.S. legal position on data protection does not meet these requirements. Accordingly, after lengthy negotiations, the E.U. and the United States agreed on a safe harbor arrangement whereby U.S. companies may self-certify compliance with the rules of the arrangements set out by the U.S. Department of Commerce and must publish a privacy policy confirming that they adhere to these rules (see http://europa.eu.int/smartapi/cgi/sga_doc?smartapicelexapiprodCELEXnumdoc&lg=en&numdoc=32000D0520&model=guichett). Signing up to the data protection safe harbor arrangements is voluntary but once a company has committed itself, then any breach of the rules may lead to the Department of Commerce taking legal action against the company concerned.
  3. The European Commission has agreed to standard contractual provisions that, if entered into between an E.E.A. business and a U.S. business, will provide data subjects with adequate protection. The draft contractual provisions in essence commit both sides to abide by basic E.U. data-protection principles.

Practical Steps

As previously indicated, in practical terms the most effective key to unlock the chains of European data protection laws is the clear and unambiguous consent of the data subject. For that consent to be effective, he or she must know precisely:

  • Who will do the processing;
  • What personal data is involved;
  • All purposes for which the personal data will be used; and
  • Where the data will be transferred.

As a consequence, wherever possible, clear and complete details should be included in any e-commerce Web site terms and conditions, and these terms and conditions should be viewed and positively accepted before any personal data can be transmitted. It would also be wise for any U.S. business reliant to any extent on personal data emanating from within the E.E.A. to ensure that providers of such data strictly adhere to European data protection legislation. If this is not the case, then European authorities might abruptly cut data flow, much to the disadvantage of the U.S. business concerned.

The E.U./U.S. safe harbor arrangement, however, is not proving to be particularly popular in practice, and only a relatively few large corporations have signed up. While the reasons for this are not entirely clear, it's likely the issues that were to be addressed by the safe harbor arrangement are being addressed by the contractual provisions now approved by the Commission.

Conclusion

U.S. companies have discovered that it is often good business to publish a privacy policy and publicly adhere to it in order to attract and retain consumer goodwill. Even in the absence of complex legislation of the type in force in Europe, U.S. companies such as Toys R Us have encountered difficulties when alleged to be dealing with customer information in breach of their published privacy policies, thus risking consumer dissatisfaction and involvement of the U.S. Federal Trade Commission.

Given these domestic concerns, it is in practice only a short further step to ensure compliance with European data protection legislation ' and a step well worth taking.


Simon Smith is a partner at law firm Taylor Vinters in Cambridge, the United Kingdom, and head of its technology law practice, T2.

Read These Next
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers Image

In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit Image

Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.

Fresh Filings Image

Notable recent court filings in entertainment law.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.