28th January is the 10th annual Data Protection Day in Europe, known as Privacy Day outside of Europe. This year, it represents a major tipping point.
The four year battle over the wording of the European Union’s new Data Protection Regulation was largely finished in December, meaning it is time to move on from the rhetoric of the opposing camps to planning for implementation.
Personal Data: the Lifeblood of Modern Life
Business wants one legal regime for personal data across Europe. But the final agreed document is at an uncomfortably high level for many companies. Last month, Paul Nemitz, Director, Fundamental Rights and Union Citizenship at the European Commission, gave a rare commendation to a specific company for its privacy practices. He declared: “Personal data is not a commodity. It is the life blood of modern life in the 21st century. In European history and culture, a person is not an object … Personal data is like the stock market. If there is lack of confidence, then the value of a company goes down. Apple is strong on data and encryption, and is the world’s highest value company on the stock market.” He wanted to show that respect for personal data is compatible with commercial success.
For anyone not wanting to struggle through the 209 page document, here are a few of the Regulation’s most important strategic points for your organisation:
People worry about what is happening with their personal data. This can lead to distrust for businesses and the government which holds and processes this data. In the US, data breaches have been the main focus of attention for companies and individuals driven by state legislation starting with California. But the emphasis in Europe is rights for individuals and resulting heavyweight legal duties for companies.
Unambiguous Consent for the Collection of Personal Data
Longstanding rights of access and correction are now greatly expanded to include “unambiguous consent” for use of a person’s data and a right of data portability. This means that, for example, individuals will be entitled to transfer their mobile device records from one supplier to get a quote from another.
A case which illustrates the unambiguous consent issue is the current legal battle between Facebook and Belgium’s Commission for the Protection of Privacy, in which the Belgian court imposed a fine of 250,000 euros a day payable to the Commission. The Belgian DPA’s position has now gained the support of other privacy regulators such as those in France, Spain and the Netherlands.
This case is a preview of what can be expected when the EU Data Protection Regulation enters into force in 2018. The Data Protection Authorities will expect a company, such as Facebook, which has not gained “unambiguous consent” for use of a person’s data, to comply with such orders in all territories of the EU as a means of aiming for consistency with the requirements of the EU Data Protection Regulation.
More attention has been given to the Court of Justice of the European Union. Last October, it was determined in the Schrems case that the US-EU Safe Harbour to be no longer valid as a legal basis for transferring personal data from the European Economic Area to the US. As a special deal for the US based on self-regulation, some commentators regarded the Safe Harbour as “neither safe nor a harbour.”.As a result, many multinational companies, such as Salesforce, have quickly turned to legal alternatives, EU model contracts and Binding Corporate Rules.
European storage and cloud services increasingly attractive
Seeing the direction of travel of the EU Data Protection Regulation negotiations, many companies are shifting their processing and storage of customer and employee data to a country in the European Union. This move will give companies more certainty about a secure legal basis for their processing of personal data. This is a substantial commercial opportunity for cloud services that give customers an opportunity to specify the country in which they want to base their service. In the same way, some traditionally US-based cloud services now offer EU-based options. Microsoft is even running a long legal battle in the New York courts denying that US law applies to these EU-based services. An EU-based archiving service is in some respects more attractive than one based in the U.S.
Any company offering an EU-based cloud service in 2016, whether used for archiving or processing, clearly recognises the underlying legal and cultural narrative behind the EU Data Protection Regulation. Data protection day is just one day but the values it represents are now a fixture of the European landscape which are increasingly influential in the wider world.