Do I need to comply with E.U. privacy laws?
I have not posted in some time because I enjoyed some traveling with the family in Hungary. Some of my cousins – by marriage – are lawyers in Budapest. They mainly peppered me with questions about the NSA and our take on privacy. I can’t repeat the compelling soliloquy I made for all Americans after a few Czech brews, but it was noticeable we had different takes about online privacy. This is not just a matter of good discussion at a ruin pub, your business needs to pay attention to E.U. privacy law, too.
The E.U. already has strict guidelines that apply to all of their member nations. Rather than relying upon protections for only certain types of health, financial data or information related to children like we do here in the U.S., the E.U. looks to protect all personal information regardless of how benign it may appear.
Generally speaking, the E.U. prohibits the transfer of personal data to non-European Union countries that do not meet the European Union “adequacy” standard for privacy protection as directed in the European Union Directive on Data Protection of 1995. The U.S. is not on that list.
Generally, to comply with existing E.U. guidelines you need to:
1. Give a notice of what you collect and what you do with it and how individuals can ask about it.
2. Give individuals the chance to opt-out of disclosure to third parties for reasons outside of the main purpose.
3. Ensure that the company to whom you transfer data also had adequate protections.
4. Provide users access to the data you have about them.
5. Initiate adequate security, data integrity and enforcement procedures.
The Department of Commerce, in consultation with the European Commission, developed a “Safe Harbor” program that qualifies companies to store and transfer personal information on E.U. residents so you don’t have to hire E.U. counsel. You can learn more about the process here at the Department of Commerce website.
Compliance in the Future
While already stricter than U.S. requirements, the E.U. is considering strengthening its laws with changes that may take place as soon as next year.
1. Will you need a forget me button?
Recent proposals have suggested a “right to be forgotten” will have to be implemented requiring companies to erase all information about individuals. You can read more here on this proposal and how U.S. companies may fight it. If it becomes law in the E.U. next year, will you be able to offer this service?
2. Will you need consent to share data?
The E.U. is leaning towards a disclosure and consent process before any of your personal information can be shared. This may require an affirmative opt-in for all cookies with full disclosure of how the information will be used and shared.
As you may imagine, marrying a lawyer can make for some interesting conversations (or dreadful depending on your outlook) at home. The same holds true with an extended family with multiple lawyers working on difference continents with different outlooks.