With the increasingly global market place, there has been an influx of US and other foreign companies setting up offices and carrying out business in Europe. Such businesses need to comply with the local laws and one of the key areas which has caused difficulty for businesses is data protection.
This article looks at some of the key data protection issues facing international businesses and how the landscape is changing.
Lack of harmonisation
Although the 1995 EU Data Protection Directive (the Directive) was supposed to harmonise privacy rules across the EU, in reality there are great differences at national level as to how the provisions of the Directive have been implemented, interpreted and enforced.
While the key data handling principles of the Directive (such as fair and lawful processing, appropriate data security, rights of data subject etc) underpin the laws of the 27 Member States, the detailed requirements “on the ground can differ”.
For example, the rules on data controller notification, the process for transfer of data outside the European Economic Area (EEA) and the meaning of data subject consent (and / or the method by which it can be given) can vary significantly between countries. This lack of harmonisation is a major concern for foreign businesses who often want to operate across Europe.
Much will depend on the nature of the processing to be undertaken, but often foreign businesses need to seek local law advice in each key market and, if appropriate, consider formulating a “lowest common denominator” approach to privacy compliance.
The Directive restricts the transfer of personal data outside the EEA except where adequate protections are in place in the “importing” country. Very few non-EU countries are recognised as offering “adequate” protection for personal data transferred from the EU.
For international companies therefore, international transfers can be a major challenge as most modern business is conducted in a fast-moving online environment, often with numerous cross-border data flows. Absent data subject consent (which in many cases has not been obtained or is not practicable) there are a number of methods of achieving compliance with this data protection requirement.
The most common method is to rely on so-called “model clauses” approved by the European Commission. However, to be effective, the provisions of these clauses cannot be amended. It can also be time-consuming putting in place and maintaining these agreements for every type of transfer between different parts of a global group (which will inevitably change over time).
Another solution which has found growing popularity with large corporations is Binding Corporate Rules (BCRs). Once in place, these instruments allow intra-group transfers of personal data (processed on a “data controller” basis) anywhere in the world.
To date, the complex and time-consuming exercise of putting in place BCRs and getting them approved by European regulators has meant that only a few companies, for example most recently First Data, have achieved them.
However, as part of the EU’s ongoing review of the Directive (see below) there is a suggestion that the European Commission wants to simplify the approval process for BCRs so that approval by one national regulator is sufficient for the whole of the EU and to extend the concept to include transfers to third party processors as well as intra-group.
This is a welcome development for the many international companies which struggle to put in place arrangement for overseas transfer of data in compliance with EU data protection law.
New EU rules on cookies
This seems to suggest that individuals now have to give active consent to receive cookies and businesses cannot necessarily rely on current browser technology to gain consent. Although there is no specified method for how consent is to be obtained, obtaining such consent from users, such as through a click acceptance mechanism, is likely to be intrusive and may disrupt the user experience.
Data protection regulators and legislators across Europe are therefore wrestling with this change and are considering how businesses should comply with this consent requirement.
The ICO in the UK has given companies a year’s grace until May 2012 before it begins to apply its enforcement powers in relation to cookies. It gave further guidance in December 2011 as to how consent may be obtained. Businesses will be reassured to know that although current browser technology is insufficient to obtain consent, the ICO does not rule out consent through browser settings altogether and more sophisticated browsers in the future may be sufficient.
Similarly, as the public’s awareness of cookies grows in the future, businesses may be able to rely on mutual understanding as a form of implied consent from users for some cookies. This would require very clear information to be provided to users as to what cookies were used, what they did, the effect of rejecting them and how they could be turned off, this could be sufficient to show the user had a choice and gave consent.
At the moment ICO does not believe general awareness of cookies is sufficient to rely on such implied consent but it may become an option in the future.
EU Data Protection: A brighter future ahead?
The European Commission has reviewed EU data protection laws in order to keep pace with rapid technological development and to address concerns with fragmentation at a local level. The European Commission has indicated that the barriers faced by international businesses, particularly those operating online, are one of the major issues it wishes to address.
Indeed, an early version of the proposed new EU Data Protection Regulation suggests that there will be a range of improvements, including improving harmonisation between the rules in Member States and re-evaluating the position on transferring data outside the EEA.
Against this it seems that the compliance risk faced by businesses will also increase – with possible fines based on a percentage of worldwide turnover and data processors having direct responsibilities for the first time. Although the content of the proposed Regulation may change and it is unlikely to be in force for 2 to 3 more years, it is hoped that this legislative initiative will herald a privacy regime fit for purpose for the 21st century.