Applying the EU's Data Protection Law

Many Web sites, particularly e-commerce sites, collect large amounts of personal information about individuals ' such as their e-mail address, home address and banking details.

Given the ever-increasing amount of data that is collected and the sensitivity surrounding the use of personal data for market research and e-commerce purposes, Web site owners need to be aware of how they use the information they have collected and their obligations to the individuals concerned.

In Europe, the European Union (EU) Data Protection Directive 1995 (Directive) aims to provide a working balance between the needs of data users and the public by facilitating and encouraging the free movement of personal data, while at the same time respecting the fundamental rights and freedoms of individuals ' notably their right to privacy. The Directive is intended to harmonize the position in European member states that, in the past, afforded different levels of protection to individuals. In particular, the Directive gives national regulators powers to control what type of data can be processed abroad and allows them to halt exports of personal data to countries deemed not have adequate protection, such as the United States.

The fundamental questions for Web site owners to address are:

• Is the business dealing with protected personal data?
• If yes, is it carrying out processing activities?
• If yes, in which countries do the processing activities take place?

These questions will help to determine whether the Directive applies and which national implementing regulations must be satisfied.

What Personal Data is Protected?

The Directive applies to the processing of any information relating to a living, identifiable natural person (data subject). A person is identifiable if he or she can be identified directly or indirectly, in particular by reference to an identification number or to any factors specific to his or her physical, physiological, mental, economic, cultural or social identity.

Data processing will not be covered by the Directive if any of the following applies:

• The data is anonymous.
• The data relates only to a company.
• The processing is for reasons of national security, criminal investigation, or certain journalistic and literary or artistic reasons.
• The processing is carried out by a natural person in the course of a purely personal or household activity.

The Directive contains more stringent rules for processing personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life.

What Processing Activities Does the Business Carry Out?

Any operation or set of operations performed on personal data, whether or not by automatic means, may be regarded as the processing of personal data. Activities that fall within the Directive include: collecting, recording, organizing, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, blocking, erasing or destroying personal data.

In Which Countries do Processing Activities Take Place?

The Directive, and national implementing legislation such as the U.K. Data Protection Act 1998, will apply only to the processing activities of Web sites based in an EU member state. If a Web site owner has no physical presence or equipment within an EU member state, including electronic presence such as the Web site being hosted on a server, neither the Directive nor the relevant national law will apply.

Note, however, that the placing of a cookie on a user's computer in the EU in order to create a profile of that individual's on-line behavior may constitute processing of personal data within the EU and, therefore, be caught by the Directive and the relevant local law.

Controllers and Processors

Any person who alone, or jointly with others, determines the purposes and means of the processing of personal data is a controller. Any person who is contractually bound to process personal data on the instructions of the controller is a processor.

The distinction between the two is sometimes unclear. Some e-commerce businesses sell or distribute their products internationally through third-party intermediaries, agents or independent contractors. In these businesses, it is often the third party that actually collects the information from the data subject and keeps a record of each data subject's details. The question then arises as to whether the intermediary or agent is the controller or processor.

The Directive places obligations on the controller relating to the use of personal data and the rights that must be given to the data subject. If the controller is not carrying out the processing itself, then it must enter into contractual obligations with the processor to ensure that the relevant requirements are met.

Non-EU based Web site owners supplying goods to EU customers will generally have to rely on local subsidiaries or intermediaries, and the transfer of personal data out of the EU from these intermediaries will be caught by the Directive and the relevant local laws. In practice, this means that any recipient businesses will have to put in place sufficient procedures to look after the personal data because otherwise, their intermediaries will be in breach of the Directive.

Basic Requirements

Data controllers must ensure that personal data is:

• Processed fairly and lawfully, the most obvious example being if the data subject has unambiguously given its consent.
• Collected only for specified, explicit and legitimate purposes, and not further processed in a way incompatible with those purposes.
• Adequate, relevant (but not excessive), accurate and kept up-to-date.
• In a form that permits identification of data subjects for no longer than is necessary.

The controller must provide the data subject with certain information, including:

• The identity of the controller.
• The purpose of the processing.
• Any other information necessary to guarantee the fair processing of the personal data, such as who the recipients are, whether replies to the questions are obligatory or voluntary, and the existence of the right to access and to rectify the personal data.

Basic Rights

Controllers must ensure that the data subject has the right to:

• Access the personal data, including the right to confirmation as to whether or not data relating to him is being processed and, if so, the purpose of such processing and a copy of such data.
• Rectify, erase or block processing not compatible with the Directive.
• Object to the processing of personal data that the controller anticipates being processed for the purposes of direct marketing.

Sanctions for Directive Noncompliance

Sanctions for noncompliance with data-protection laws exist in all EU countries. In general, imprisonment (where available) has rarely, if ever, been imposed and recourse to other sanctions, such as fines, is confined to the most extreme cases. However, the fines are getting bigger and the negative publicity can be very damaging.

Authorities in EU member states tend to favor reaching an amicable out-of-court solution, although seizure orders and injunctions to prevent illegal processing may be used.

Non-EU Web site owners should consider whether the Directive applies to them because they collect or process personal data within the European Union, or whether they need to put in place systems and contracts with third-party intermediaries within the EU to ensure compliance with European law.

Many Web sites, particularly e-commerce sites, collect large amounts of personal information about individuals ' such as their e-mail address, home address and banking details.

Given the ever-increasing amount of data that is collected and the sensitivity surrounding the use of personal data for market research and e-commerce purposes, Web site owners need to be aware of how they use the information they have collected and their obligations to the individuals concerned.

In Europe, the European Union (EU) Data Protection Directive 1995 (Directive) aims to provide a working balance between the needs of data users and the public by facilitating and encouraging the free movement of personal data, while at the same time respecting the fundamental rights and freedoms of individuals ' notably their right to privacy. The Directive is intended to harmonize the position in European member states that, in the past, afforded different levels of protection to individuals. In particular, the Directive gives national regulators powers to control what type of data can be processed abroad and allows them to halt exports of personal data to countries deemed not have adequate protection, such as the United States.

The fundamental questions for Web site owners to address are:

• Is the business dealing with protected personal data?
• If yes, is it carrying out processing activities?
• If yes, in which countries do the processing activities take place?

These questions will help to determine whether the Directive applies and which national implementing regulations must be satisfied.

What Personal Data is Protected?

The Directive applies to the processing of any information relating to a living, identifiable natural person (data subject). A person is identifiable if he or she can be identified directly or indirectly, in particular by reference to an identification number or to any factors specific to his or her physical, physiological, mental, economic, cultural or social identity.

Data processing will not be covered by the Directive if any of the following applies:

• The data is anonymous.
• The data relates only to a company.
• The processing is for reasons of national security, criminal investigation, or certain journalistic and literary or artistic reasons.
• The processing is carried out by a natural person in the course of a purely personal or household activity.

The Directive contains more stringent rules for processing personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life.

What Processing Activities Does the Business Carry Out?

Any operation or set of operations performed on personal data, whether or not by automatic means, may be regarded as the processing of personal data. Activities that fall within the Directive include: collecting, recording, organizing, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, blocking, erasing or destroying personal data.

In Which Countries do Processing Activities Take Place?

The Directive, and national implementing legislation such as the U.K. Data Protection Act 1998, will apply only to the processing activities of Web sites based in an EU member state. If a Web site owner has no physical presence or equipment within an EU member state, including electronic presence such as the Web site being hosted on a server, neither the Directive nor the relevant national law will apply.

Note, however, that the placing of a cookie on a user's computer in the EU in order to create a profile of that individual's on-line behavior may constitute processing of personal data within the EU and, therefore, be caught by the Directive and the relevant local law.

Controllers and Processors

Any person who alone, or jointly with others, determines the purposes and means of the processing of personal data is a controller. Any person who is contractually bound to process personal data on the instructions of the controller is a processor.

The distinction between the two is sometimes unclear. Some e-commerce businesses sell or distribute their products internationally through third-party intermediaries, agents or independent contractors. In these businesses, it is often the third party that actually collects the information from the data subject and keeps a record of each data subject's details. The question then arises as to whether the intermediary or agent is the controller or processor.

The Directive places obligations on the controller relating to the use of personal data and the rights that must be given to the data subject. If the controller is not carrying out the processing itself, then it must enter into contractual obligations with the processor to ensure that the relevant requirements are met.

Non-EU based Web site owners supplying goods to EU customers will generally have to rely on local subsidiaries or intermediaries, and the transfer of personal data out of the EU from these intermediaries will be caught by the Directive and the relevant local laws. In practice, this means that any recipient businesses will have to put in place sufficient procedures to look after the personal data because otherwise, their intermediaries will be in breach of the Directive.

Basic Requirements

Data controllers must ensure that personal data is:

• Processed fairly and lawfully, the most obvious example being if the data subject has unambiguously given its consent.
• Collected only for specified, explicit and legitimate purposes, and not further processed in a way incompatible with those purposes.
• Adequate, relevant (but not excessive), accurate and kept up-to-date.
• In a form that permits identification of data subjects for no longer than is necessary.

The controller must provide the data subject with certain information, including:

• The identity of the controller.
• The purpose of the processing.
• Any other information necessary to guarantee the fair processing of the personal data, such as who the recipients are, whether replies to the questions are obligatory or voluntary, and the existence of the right to access and to rectify the personal data.

Basic Rights

Controllers must ensure that the data subject has the right to:

• Access the personal data, including the right to confirmation as to whether or not data relating to him is being processed and, if so, the purpose of such processing and a copy of such data.
• Rectify, erase or block processing not compatible with the Directive.
• Object to the processing of personal data that the controller anticipates being processed for the purposes of direct marketing.

Sanctions for Directive Noncompliance

Sanctions for noncompliance with data-protection laws exist in all EU countries. In general, imprisonment (where available) has rarely, if ever, been imposed and recourse to other sanctions, such as fines, is confined to the most extreme cases. However, the fines are getting bigger and the negative publicity can be very damaging.

Authorities in EU member states tend to favor reaching an amicable out-of-court solution, although seizure orders and injunctions to prevent illegal processing may be used.

Non-EU Web site owners should consider whether the Directive applies to them because they collect or process personal data within the European Union, or whether they need to put in place systems and contracts with third-party intermediaries within the EU to ensure compliance with European law.