Since 1995, the European Union Data Protection Directive has been a driving force in privacy protection worldwide. Implemented in law in E.U. member states and enforced by dozens of country and provincial (Germany has 16) Data Protection Authorities, the directive’s effects have extended far beyond the borders of the countries that make up the union. While some of this has been the result of the natural adoption by other countries of similar data protection regimes, the primary mechanism has been through the stringent cross-border data transfer requirements in place by the Directive.
Before personal information of E.U. residents can be transferred outside of the E.U., data controllers (the person or body who determines the purpose and means of processing data) must ensure that the recipient has sufficient protection mechanisms in place. The Directive only provides for two principle methods of transfer, namely transfer to a jurisdiction with adequate legal protection or through the use of model contract clauses between the parties. To date only eleven countries have been deemed adequate by the European Commission. In addition, a carve out for companies in the United States has been provided for companies that agree to be bound by the Safe Harbor Principles administered by the U.S. Department of Commerce and enforced by the U.S. Federal Trade Commission.
Such an arrangement has proven exceedingly difficult for multi-national corporations that have operations in countries around the world. A company seeking to do business in Germany that has servers in Singapore, support staff in India, a call center in South Africa and headquarters in Australia would need to create and maintain burdensome model contractual clauses between its various entities. Many companies have sought to use another mechanism, not explicitly provided for in the Directive, but allowed under many member state laws and by the various Data Protection Authorities: Binding Corporate Rules. This mechanism came with a caveat though, as some authorities still require registration or approval for cross border transfers of data to companies instituting Binding Corporate Rules.
This is about to change in the next few years. The Data Protection Directive was created in 1995, nearly 20 years ago. Three years before Google was founded. Nine years before Facebook. Twelve years before the first iPhone. Suffice to say, a lot has changed in the last 20 years. Since 2012, many organizations in the European Union have been working on an update to the Directive. Though the regulation will likely be enacted this year, the General Data Protection Regulation (GDPR) is not slated to go into effect for another few years to allow corporations time to make the necessary adjustments. Here are a few highlights which are being proposed:
- Unlike the Directive which directs member states to implement compatible law, the GDPR will be harmonized and in force across the European Union.
- The Directive laid the entire burden on the Data Controller and didn’t apply to non-European entities that had no physical presence in Europe. The GDPR includes coverage of non-European entities which provide services (over the Internet), and requires the collection of data about Europeans. The proposal is to strengthen the requirement to require these entities to appoint a representative in a member state. Furthermore, the GDPR will apply directly to Data Processers, not indirectly by contract through Data Controllers.
- In light of the above statement, this is an important note for Data Processors (such as cloud service providers). Violations of the regulations could face fines up to €100 million or 2-5% of annual worldwide turnover, whichever is higher. This is significantly more than many of the member states had enacted under the Directive. For instance, the United Kingdom has a maximum fine of £500,000 and to date has never fined any organization over £325,000.
- Large entities or those whose core business involve monitoring data subjects must assign a Data Protection Officer (currently only true in Germany). While being a Data Protection Officer has certain benefits, such as being a protected employee under employment law, they also bear the burden of criminal liability for the entity.
- Binding Corporate Rules are explicitly provided as a mechanism for compliance. This will work for both Data Controllers and Data Processors. Previously companies who were not directly regulated under the Directive (e.g. processors) might have been reluctant to subject themselves to regulatory scrutiny. However, that is no longer optional, making Binding Corporate Rules much more appealing.
Organizations that do business involving European data and henceforth have not considered a compliance strategy would be well advised to do so. While Safe Harbor in the United States has received a lot of flax recently because of the Snowden revelations, it remains the law and does not appear to be going away. Though several European court cases and the European Commission are creating uncertainty, it will be difficult given the amount of business between Europe and the United States for Europe to drop it wholesale. Organizations based principally in the U.S. should still consider this as a viable option. Organizations with footprints outside the E.U., the U.S. or the other eleven adequate countries should consider model contractual clauses at a minimum to cover data transfers between countries.
Organizations with significant operations in multiple jurisdictions around the world which share data should consider Binding Corporate Rules. While it is a multi-year process to institute, and requires a significant commitment on the part of the organization, it can be an efficient mechanism once in place and eases negotiations with European customers.