GPSOLO July/August 2007
A Bird’s-Eye View of Data Protection in Europe
Your client’s sales to customers in Denmark, Sweden, Norway, and Finland have drastically increased since the beginning of the year. The company has arranged with a distributor located near the Charles de Gaulle Airport to package and ship orders to these customers. At the end of each quarter, the French distributor will send a sales report and other demographic data about these customers. Your client also has been able to reduce its data processing costs by outsourcing its computer operations to the Philippines. All e-mail inquiries about order tracking are routed to the call center in the Philippines.
This morning, your client called in panic. At the last minute before signing the distribution agreement, the French distributor wants to include a ten-page addendum that has to do with information privacy and security and is not negotiable. The French company has found out that the customer hotline is in the Philippines and wants "something to be done about this"-but did not say what.
U.S. companies that sell to foreign customers or have operations abroad risk liability for violating non-U.S. data protection laws. Having an establishment or server in a foreign country makes a company subject to the laws of that country. Even without a local establishment, a U.S. company may find that its activities open it to the jurisdiction of a foreign court.
Approximately 50 countries now have substantial data protection laws. These laws are based on common fair-information principles, but their provisions may vary drastically. Western European countries, for example, rely on comprehensive legislation that applies to all types of personal data, without distinction. The approach in the United States, on the other hand, relies on a mix of legislation, regulation, and self-regulation and is far from protecting all categories of personal data.
Europe and Privacy
The European Union is now composed of Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom. In addition, Croatia, the former Yugoslav Republic of Macedonia, and Turkey have applied for membership.
Although not formal members, Norway, Iceland, and Liechtenstein have a close relationship with the European Union through the European Economic Area (EEA) Agreement. They participate in the internal market of the European Union but do not assume the full responsibilities of EU membership.
A legal patchwork. Most European countries’ data protection laws follow principles detailed in two EU directives, whether or not these countries are part of the European Union. These directives are 1) Directive 95/46/EC of the European Parliament on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (commonly called the Data Protection Directive), and 2) Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector. The first directive applies to the collection, storage, disclosure, and other uses of personal data. The second directive addresses the use of "cookies" and places restrictions on spam, telemarketing, and interception of communications and traffic data.
One misconception about data protection in Europe is that the 1995 Data Protection Directive is "the" privacy law in each EU country. In fact, EU directives are only principles for EU member states, which must implement them through their national laws. National legislation is required to bring into force the principles set forth in the directive. The principles are a floor. Each country can build additional restrictions (within limits). Consequently, the data protection laws of EU member states are not uniform, even though they are built on a similar foundation. Many European countries had data protection laws long before the adoption of the 1995 Data Protection Directive. Germany enacted its federal data protection law in 1977; France, Denmark, and Norway in 1978. Since the passage of the 1995 and 2002 Directives, each EU member state has updated its laws accordingly.
Common features. The data protection laws of EU or EEA countries, as well as Switzerland, have common elements. This article describes some of these common elements. However, when analyzing the requirements for compliance with data protection laws (or any other laws) in a country, it is essential to look at the specific data protection laws and regulations in that specific country. Looking at general principles provides only a vague, high-level appreciation of the applicable law.
European data protection laws focus on the "processing" of "personal data." "Processing" encompasses such essential activities as the collection, recording, organization, storage, use, transmission, and destruction of personal data. What constitutes "personal data" in European laws is much broader than in most U.S. laws. In the European Union, personal data includes any information relating to an identified or identifiable person ("data subject"). Phone numbers, addresses, or dates of birth, for example, are protected by law, as well as religion and trade union membership.
A company may process personal data only if the data subject has unambiguously given his or her consent, after having received appropriate notice of that company’s privacy policies. The organization must provide sufficient information so that the individual understands what is being collected, the proposed uses of the data, who is collecting and who will be processing the data and for what purposes, whether the data will be provided to others, the categories of recipients, the choices and means the organization offers individuals for limiting use and disclosure, and what security is used. The data collector must also inform data subjects that they have the right to access the personal data the company obtains about them.
Personal data must be collected for specified, explicit, and legitimate purposes. The use of personal data must be limited to the purpose first identified. Further, an organization may not collect information that is not related to the purposes for which the data subject is providing the information. It may keep the data in a form that permits identification of individuals for no longer than is necessary for the purposes for which data were collected. To ensure accuracy, data collectors must take reasonable steps, such as cross-referencing data against multiple reliable sources and providing consumer access to data.
Confidentiality and security of the data. Organizations creating, maintaining, using, or disseminating personal data must ensure the confidentiality and security of the data and protect the data from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. When the processing is carried out on behalf of an organization, the organization may choose only a service provider that offers sufficient assurances and guarantees with respect to security and confidentiality. A written agreement with the subcontractor is required, as is conducting due diligence before entering into the contract and monitoring the performance of the data processor throughout the relationship.
Direct marketing. Direct marketing rules create an opt-in regime much more stringent than that established by the U.S. CAN-SPAM Act. Europeans have the right to object to the processing of their data for direct marketing. For most commercial communications, recipients must give their prior explicit consent before direct marketing communications are addressed to them. There is a carve-out for the use of information collected in a prior relationship, within limits. When an organization has obtained (within the applicable legal requirements) the e-mail addresses of customers in the context of the sale of a product or a service, that same organization may use the e-mail address to send information about products or services that are similar to those previously provided to that customer.
Compliance requirements. To ensure compliance with these rules, a monitoring system requires each organization to interface with the applicable national data protection supervisory authority. This process is called "notification." Organizations must inform their local supervisory authorities of the types of processing they do, as specified by their national law. Each country’s supervisory authority must keep a register of processing operations. The register must be available for inspection by any person.
Transfers outside the European Economic Area. Data transfers outside the European Economic Area may take place only if the third country ensures an "adequate level of protection." To date, few countries have been deemed to provide the required level of protection: the members of the European Economic Area, Argentina, Canada, Guernsey, the Isle of Man, and Switzerland. After lengthy negotiations with the United States, the EU officials determined that U.S. data protection laws did not provide adequate protection.
Crossing the Pond
How can a U.S. organization continue doing business with EU-based companies and exchange the needed information about their customers? Fortunately, the prohibition against transferring personal data outside the European Economic Area is not absolute. There are exceptions.
First, the transfer is possible if each individual has consented to it. Of course, when seeking this consent, the organization must provide the individual with sufficient information, as explained earlier. In particular, the individual must be told whether the information might be transferred abroad and must be made aware that the country of destination does not offer the adequate protection required by the applicable European data protection laws. Only if the individual is properly informed will his or her consent be valid.
Alternatively, EU member states may authorize transfers of personal data to a third country that does not ensure adequate protection if the data controller "adduces adequate safeguards" with respect to data protection. These safeguards may result from appropriate contracts or documents. To date, several methods have been used.
The Safe Harbor regime. One avenue is to take advantage of the "Safe Harbor." After determining that U.S. laws did not offer the required adequate level of protection, the European Commission agreed with the U.S. Department of Commerce in 2000 to create a Safe Harbor whereby U.S. companies could, individually, be deemed to offer a sufficient level of protection if they agreed in writing to comply with certain specified "Safe Harbor Principles" with respect to their handling of personal information coming from the European Union.
To take advantage of the Safe Harbor regime, a U.S. corporation must file the required application with the U.S. Department of Commerce. If the company complies with the representations made in the self–certification papers, it will be deemed to offer the adequate level of protection required by EU data protection laws.
The Safe Harbor regime, however, only facilitates data transfers between the European Union and the United States. In our hypothetical example, Safe Harbor would not apply to facilitate data transfers from the European Union to the Philippines.
Standard contractual clauses. Where the Safe Harbor regimes cannot be used, U.S. organizations must enter into a contract with the European organization holding the data. In such contracts, the U.S. organization must make numerous commitments respecting the handling of these data. The data protection laws of the applicable European country dictate the substance of these commitments.
In 2001 and 2005, the European Commission adopted "standard contractual clauses" for use in connection with the transfer of personal data outside of the European Economic Area. The U.S. company and its European counterpart must sign a contract that includes the standard clauses, and the transfer must be notified to and/or approved by the applicable data supervisory authority. To ensure approval by the data supervisory authority, the standards clauses in the contract must not be modified. It is possible to add to these provisions–for example, indemnification or commercial provisions–but additions may not supersede or conflict with the original standards clauses approved by the European Union.
Binding corporate rules. The need to enter into hundreds of data transfer agreements that incorporate the mandatory clauses could overwhelm corporate groups with subsidiaries and affiliates worldwide. An additional method of obtaining approval for intra-company transfers was proposed in 2003. "Binding corporate rules" are a set of rules adopted by a multinational company to provide legally binding protections for data processing within the corporate group. The use of binding corporate rules to provide a legal basis for international data transfers originating in the European Union requires the approval of each the supervisory authorities from whose country the data are to be transferred.
The data protection regime in effect in Europe differs in many respects from that which is in place in the United States. European data protection laws apply to everyone and to any type of personal data. Individuals are granted more extensive rights than are their American counterparts.
Although Europe is an exciting market of more than 500 million inhabitants with sophisticated needs and substantial financial resources, stringent data protection laws create an obstacle to the free movement of personal data outside of the European borders. U.S. companies must know and understand their European clients’ rights with respect to their personal data and must be prepared to address the unique requirements presented by applicable European data protection laws.
Francoise Gilbert is the CEO of the IT Law Group (www.itlawgroup.com), a law firm headquartered in California. She may be reached at firstname.lastname@example.org.